Roland By writing over the Witango_UserReference Cookie with your own value, you have effective done that because only the server (theoretically) can change the browser session cookie. so the browser changes the cookie and now even if they go somewhere else the session cookie wont point to the original variable that were set.
Now this only works when you stop adding the <@USERREFERENCEARGUMENT> to the URL. I know it is like taking your first step but you dont need to use it in your address line because the session cookie is handling it. You could place some code in you existing apps that use to use USERREF like so if _USERREFERENCE is not empty then refresh back to login form this way all those old link will start dying Ben Johansen -----Original Message----- From: Roland A. Dumas [SMTP:[EMAIL PROTECTED] Sent: Tuesday, October 07, 2003 1:34 PM To: [EMAIL PROTECTED] Subject: Re: Witango-Talk: resetting userreferencecookie objective: prevent session hijacking/tailgating someone comes in with a userreference argument attached to a URL. They get that session. They join it if it is active. When someone logs in, they get a logon session cookie. If they appear at key points in the site with a witango session cookie and not a logon, they get cycled to the logon tcf, stripped of user variables and session cookies, and they go through the logon process, where statistics are generated, user variables assigned, etc. Or so I thought. When I checked, writing over and expiring the userreference cookie didn't kill the session. We should be able to expire a session, don't you think? On Tuesday, October 7, 2003, at 01:13 PM, Scott Cadillac wrote: > Hi Roland, > > Although Witango has many extensive features that can be programmed, > I'm not > 100% sure what you're trying to do is considered one of them. > > Meaning...it sounds like you're bumping into some design of the Server > intended for stable memory management. > > Maybe we can ask what your intended goal is? > > What is it that you're trying to do exactly - maybe there is another > approach? > > Let us know, when you have a moment. Cheers.... > > Scott Cadillac, > Witango.org - http://witango.org > 403-281-6090 - [EMAIL PROTECTED] > -- > Information for the Witango Developer Community > --------------------- > > XML-Extranet - http://xmlx.ca > 403-281-6090 - [EMAIL PROTECTED] > -- > Well-formed Development (for hire) > --------------------- > > >> -----Original Message----- >> From: Roland A. Dumas [mailto:[EMAIL PROTECTED] >> Sent: Tuesday, October 07, 2003 1:50 PM >> To: [EMAIL PROTECTED] >> Subject: Re: Witango-Talk: resetting userreferencecookie >> >> >> If I set a new value to the witango_userreference cookie, it >> shows up >> as changed, but <@userreference> returns the original value. >> Something else is keeping it put >> >> (no get or postargs with userreference it them, either) >> >> On Tuesday, October 7, 2003, at 12:36 PM, Ben Johansen wrote: >> >>> Ok, >>> My post from my other server didn't make it through. >>> to change the Witango_UserReference cookie you can't uses >> the EXPIRES >>> because it is a session cookie >>> >>> Ben Johansen >>> >>> -----Original Message----- >>> From: Roland A. Dumas [SMTP:[EMAIL PROTECTED] >>> Sent: Tuesday, October 07, 2003 12:31 PM >>> To: [EMAIL PROTECTED] >>> Subject: Re: Witango-Talk: resetting userreferencecookie >>> >>> Thanks >>> I figured I should be able to set @@cookie$witango_userreference to >>> expire and have witango server create a new one on the >> spot, but there >>> seems to be something very persistent about it. jest won't die. >>> >>> hmmm.. maybe Fergal knows >>> >>> >>> On Tuesday, October 7, 2003, at 12:19 PM, Ben Johansen wrote: >>> >>>> I have been trying with my testautocookie.taf and seeing the same >>>> thing >>>> >>>> I have been looking at it and wanted you to know that there was >>>> someone looking at itJ >>>> >>>> >>>> >>>> Ben Johansen - http://www.pcforge.com >>>> Authorized Witango & MDaemon Reseller >>>> Available for Witango Developement >>>> >>>> -----Original Message----- >>>> From: Roland A. Dumas [mailto:[EMAIL PROTECTED] >>>> Sent: Tuesday, October 07, 2003 12:11 PM >>>> To: [EMAIL PROTECTED] >>>> Subject: Witango-Talk: resetting userreferencecookie >>>> >>>> >>>> >>>> If I try to rub out the userreference cookie thusly, it comes right >>>> back. How can I kill it and reset in the same request? >>>> >>>> @ASSIGN name="Witango_userreference" scope=cookie value="now" >>>> expires="Tue, 07-Oct-03 00:00:00 GMT "> >>>> >>>> >>>> >>> >>> >> ______________________________________________________________ >> _________ >>> _ >>> TO UNSUBSCRIBE: Go to http://www.witango.com/maillist.taf << File: >>> ATT00004.att >> >>> >>> >> ______________________________________________________________ >> _________ >>> _ >>> TO UNSUBSCRIBE: Go to http://www.witango.com/maillist.taf >>> >> >> ______________________________________________________________ >> __________ >> TO UNSUBSCRIBE: Go to http://www.witango.com/maillist.taf >> > > _______________________________________________________________________ > _ > TO UNSUBSCRIBE: Go to http://www.witango.com/maillist.taf > ________________________________________________________________________ TO UNSUBSCRIBE: Go to http://www.witango.com/maillist.taf ________________________________________________________________________ TO UNSUBSCRIBE: Go to http://www.witango.com/maillist.taf
