Hi Roland, This is certainly turning into an interesting thread.
So, just to be clear, you are assigning a separate "custom" session-cookie with a successful logon? And the absence of this additional custom session-cookie indicates a possible instance of session hijacking/tailgating correct? So you force them to logon. Good idea. But yes, if your findings are correct (and I'm following correctly what you are describing) and you did manage to change the Witango_UserReference cookie value, I suppose the Witango Server is just trying to be efficient and re-use the previously allocated memory space on the Server with the "new" Witango_UserReference key value you assigned - especially if all this happens within a single execution of a TAF. In theory you should be able to "reset" the memory space for the User Variables with the new key value - but my guess is just that nobody has taken it this far before, so the Server design might not accommodate it. Just a guess of course... --- So, in the meantime (until we hear more suggestions and insight), here a couple of thoughts: ~~ Suggestion one: Break up the Witango_UserReference re-assignment into two TAF calls. The first TAF removes the Witango_UserReference cookie altogether (and the _UserReference argument), then a redirect calls the second TAF that will assign a new key value automatically. The Server, in theory, will act like the second request is from a completely new User and will allocate new memory space for their User Variables. ~~ Suggestion two: If you are already relying on a "custom" session-cookie anyway, why bother with the <@USERREFERENCEARGUMENT> Meta Tag at all? Removing <@USERREFERENCEARGUMENT> from your pages is the best preventive measure you can employ to prevent session hijack/tailgating to begin with. It means the Server has to rely on session-cookies, but if you're using them already, then you're not loosing anything. Like I've mentioned in the past, I don't use <@USERREFERENCEARGUMENT> at all and never have these issues. Having Users turn on session-cookies as a requirement for logon is not much to ask - and so far has never been a problem. Hope this helps. Cheers..... Scott Cadillac, Witango.org - http://witango.org 403-281-6090 - [EMAIL PROTECTED] -- Information for the Witango Developer Community --------------------- XML-Extranet - http://xmlx.ca 403-281-6090 - [EMAIL PROTECTED] -- Well-formed Development (for hire) --------------------- > -----Original Message----- > From: Roland A. Dumas [mailto:[EMAIL PROTECTED] > Sent: Tuesday, October 07, 2003 2:34 PM > To: [EMAIL PROTECTED] > Subject: Re: Witango-Talk: resetting userreferencecookie > > > objective: prevent session hijacking/tailgating > > someone comes in with a userreference argument attached to a > URL. They > get that session. They join it if it is active. > > When someone logs in, they get a logon session cookie. If > they appear > at key points in the site with a witango session cookie and not a > logon, they get cycled to the logon tcf, stripped of user > variables and > session cookies, and they go through the logon process, where > statistics are generated, user variables assigned, etc. > > Or so I thought. When I checked, writing over and expiring the > userreference cookie didn't kill the session. We should be able to > expire a session, don't you think? > > > > On Tuesday, October 7, 2003, at 01:13 PM, Scott Cadillac wrote: > > > Hi Roland, > > > > Although Witango has many extensive features that can be > programmed, > > I'm not > > 100% sure what you're trying to do is considered one of them. > > > > Meaning...it sounds like you're bumping into some design of > the Server > > intended for stable memory management. > > > > Maybe we can ask what your intended goal is? > > > > What is it that you're trying to do exactly - maybe there is another > > approach? > > > > Let us know, when you have a moment. Cheers.... > > > > Scott Cadillac, > > Witango.org - http://witango.org > > 403-281-6090 - [EMAIL PROTECTED] > > -- > > Information for the Witango Developer Community > > --------------------- > > > > XML-Extranet - http://xmlx.ca > > 403-281-6090 - [EMAIL PROTECTED] > > -- > > Well-formed Development (for hire) > > --------------------- > > > > > >> -----Original Message----- > >> From: Roland A. Dumas [mailto:[EMAIL PROTECTED] > >> Sent: Tuesday, October 07, 2003 1:50 PM > >> To: [EMAIL PROTECTED] > >> Subject: Re: Witango-Talk: resetting userreferencecookie > >> > >> > >> If I set a new value to the witango_userreference cookie, it > >> shows up > >> as changed, but <@userreference> returns the original value. > >> Something else is keeping it put > >> > >> (no get or postargs with userreference it them, either) > >> > >> On Tuesday, October 7, 2003, at 12:36 PM, Ben Johansen wrote: > >> > >>> Ok, > >>> My post from my other server didn't make it through. > >>> to change the Witango_UserReference cookie you can't uses > >> the EXPIRES > >>> because it is a session cookie > >>> > >>> Ben Johansen > >>> > >>> -----Original Message----- > >>> From: Roland A. Dumas [SMTP:[EMAIL PROTECTED] > >>> Sent: Tuesday, October 07, 2003 12:31 PM > >>> To: [EMAIL PROTECTED] > >>> Subject: Re: Witango-Talk: resetting userreferencecookie > >>> > >>> Thanks > >>> I figured I should be able to set > @@cookie$witango_userreference to > >>> expire and have witango server create a new one on the > >> spot, but there > >>> seems to be something very persistent about it. jest won't die. > >>> > >>> hmmm.. maybe Fergal knows > >>> > >>> > >>> On Tuesday, October 7, 2003, at 12:19 PM, Ben Johansen wrote: > >>> > >>>> I have been trying with my testautocookie.taf and seeing the same > >>>> thing > >>>> > >>>> I have been looking at it and wanted you to know that there was > >>>> someone looking at itJ > >>>> > >>>> > >>>> > >>>> Ben Johansen - http://www.pcforge.com > >>>> Authorized Witango & MDaemon Reseller > >>>> Available for Witango Developement > >>>> > >>>> -----Original Message----- > >>>> From: Roland A. Dumas [mailto:[EMAIL PROTECTED] > >>>> Sent: Tuesday, October 07, 2003 12:11 PM > >>>> To: [EMAIL PROTECTED] > >>>> Subject: Witango-Talk: resetting userreferencecookie > >>>> > >>>> > >>>> > >>>> If I try to rub out the userreference cookie thusly, it > comes right > >>>> back. How can I kill it and reset in the same request? > >>>> > >>>> @ASSIGN name="Witango_userreference" scope=cookie value="now" > >>>> expires="Tue, 07-Oct-03 00:00:00 GMT "> > >>>> > >>>> > >>>> > >>> > >>> > >> ______________________________________________________________ > >> _________ > >>> _ > >>> TO UNSUBSCRIBE: Go to http://www.witango.com/maillist.taf << File: > >>> ATT00004.att >> > >>> > >>> > >> ______________________________________________________________ > >> _________ > >>> _ > >>> TO UNSUBSCRIBE: Go to http://www.witango.com/maillist.taf > >>> > >> > >> ______________________________________________________________ > >> __________ > >> TO UNSUBSCRIBE: Go to http://www.witango.com/maillist.taf > >> > > > > > ______________________________________________________________ > _________ > > _ > > TO UNSUBSCRIBE: Go to http://www.witango.com/maillist.taf > > > > ______________________________________________________________ > __________ > TO UNSUBSCRIBE: Go to http://www.witango.com/maillist.taf > ________________________________________________________________________ TO UNSUBSCRIBE: Go to http://www.witango.com/maillist.taf
