After sending my post, and thinking about it.... I suppose my answer is probably not right, that the old UserReference is reused for a new session.
In theory, if 10 different people all clicked on the same Search page links, which all had the same UserReference key value - and the old key IS reused for the new session(s) - then 10 people could be sharing the same User variables. Not good. Does somebody have a better answer than me? Like I mentioned, I don't personally use <@USERREFERENCEARGUMENT> in my apps and strictly rely on the session-cookie. So the above wouldn't happen to me, and I don't have an opportunity to test my own answer. Any feedback anyone??? Scott Cadillac, Witango.org - http://witango.org 403-281-6090 - [EMAIL PROTECTED] -- Information for the Witango Developer Community --------------------- XML-Extranet - http://xml-extra.net 403-281-6090 - [EMAIL PROTECTED] -- Well-formed Development (for hire) --------------------- > -----Original Message----- > From: Scott Cadillac [mailto:[EMAIL PROTECTED] > Sent: Wednesday, August 06, 2003 11:34 AM > To: [EMAIL PROTECTED] > Subject: RE: Witango-Talk: what happens with expired userReference? > > > Hi Roland, > > As long as the VariableTimeout has expired by the time of the new page > visitor (with the old link), then the old User Variables are > gone - and new > ones are assigned as needed. > > I think, but not 100% sure, that the old UserReference key > value in the old > link is actually reused. This particular question is tough to > answer because > for myself, I don't use <@USERREFERENCEARGUMENT> and just rely on > session-cookies, which means your scenario would never present itself. > > It is when the VariableTimeout period has not expired yet (default 30 > minutes), that a Security issue is introduced where the new > visitor can be > given access to someone else's User Variables. This is known > as Session > Hijacking. > > But, with all that said, your scenario I think is less problematic. > > Your concern is about when a SearchBot hits your site, and is > automatically > granted a <@USERREFERENCE> key. This key value is then stored > as part of > your site links for a search engine - which is then exposed > to anonymous > users. > > In theory the SearchBot is not logging in to secure pages > with a password, > and is typically not trying to do on-line purchases - so I > would think there > is very little to hijack. Especially given the fact that a case for > hijacking is very remote here. > > In theory, in your code, any User Variables you assign to > anonymous visitors > on the public side of your pages are relatively non-critical > - which is all > a SearchBot would be granted, or any other public visitor who > has not logged > in yet. > > Of course that is just theory because I don't really know what you're > assigning your public anonymous visitors, with respect to > Variables or your > VariableTimeout setting. > > Hope this helps. Cheers.... > > Scott Cadillac, > Witango.org - http://witango.org > 403-281-6090 - [EMAIL PROTECTED] > -- > Information for the Witango Developer Community > --------------------- > > XML-Extranet - http://xml-extra.net > 403-281-6090 - [EMAIL PROTECTED] > -- > Well-formed Development (for hire) > --------------------- > > > > -----Original Message----- > > From: Stefan Gonick [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, August 06, 2003 11:05 AM > > To: [EMAIL PROTECTED] > > Subject: Re: Witango-Talk: what happens with expired userReference? > > > > > > I'm pretty sure that the Witango server starts a new > > user session if the user reference has expired. > > > > Stefan > > > > At 09:47 AM 8/6/2003 -0700, you wrote: > > >when you have a project and the company's IT manager > > personally refuses > > >cookies, he writes it into the job spec that the site work > > for people who > > >hate cookies. ain't that nice? > > > > > >On Wednesday, August 6, 2003, at 09:36 AM, Bill Conlon wrote: > > > > > >>Yet another reason to use <@USERREFERENCECOOKIE> > > >> > > >>>when a bot cruises through a site and each link has a > > userReference=xxx > > >>>URL argument, it stores those along with the stable URL. > > What happens > > >>>when someone comes back to that exact URL, userreference > > and all, after > > >>>the session variables have expired? > > > > > >_____________________________________________________________ > > ___________ > > >TO UNSUBSCRIBE: Go to http://www.witango.com/maillist.taf > > > > ======================================================== > > Database WebWorks: Dynamic web sites through database integration > > http://www.DatabaseWebWorks.com > > > > ______________________________________________________________ > > __________ > > TO UNSUBSCRIBE: Go to http://www.witango.com/maillist.taf > > > > ______________________________________________________________ > __________ > TO UNSUBSCRIBE: Go to http://www.witango.com/maillist.taf > ________________________________________________________________________ TO UNSUBSCRIBE: Go to http://www.witango.com/maillist.taf
