Hi Robert, > I am glad I found it too, and I appreciate the help, it was the fact > that others were not seeing the same issue that made me dig deeper. > > I agree, that the cookie is not set in a redirect, even if you include > the <@userreferencecookie> tag. So I removed the > <@userreferenceargument> in the redirects to get around this issue.
You can learn a lot from HTTP, eh :-) > Although I do see that the <@userreferencecookie> is working as > advertised, and so therefore this is not a bug, I did add a feature > request that the <@userreferencecookie> will in the future write the > cookie if the cookie does not exist, even if the search arg is present. > > I think if the cookie is not present, and there is a search arg user > ref, then the cookie should be written with the valud of the search > arg. I'm not 100% intimate with the logic currently in the system, but what you are suggesting is how Session-hijacking (or Session tail-gating) is achieved. This is exactly what shouldn't happen. > > Is there a reason that I am not thinking of where the cookie should not > > be written if the cookie is not present? I cannot think of one. See above. Cheers.... ________________________________________________________________________ TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
