Re: Witango-Talk: Cookies

Wed, 13 Oct 2004 07:58:22 -0700


Actually by default in MSIE, session cookies are disabled. To allow session cookies, you actually have to manually turn them on.

This has been since SP1 of Windows XP, or MSIE 6. MSIE 6 has tightened security, so when you install it be default, session cookies, first party, and third party cookies are all disabled.

So, an average user won't know this. If a user is concerned about security, they can just enable session cookies, but disable the rest. This way, your WiTango applications will work.

And, cookies have become a major security issue. Not because of viruses, but Adware that can track everything you type on the web and send it back to a marketing company. So, the tracking cookies have become a big security issue. Adware can also slow down your computer, and cause the browser to not function properly either.

I hope this information is useful.

Rick Sanders


Hi Roland,

I hear ya - but actually...turning up the Security settings in MSIE to "high" does _not_
disable regular cookie or "session" cookie functionality. Security and cookies are two
different things.

Most settings in modern browsers do not directly connect cookies and security - because cookies
are not actually a "Security" issue, they are a "Privacy" issue.

This includes Windows XP SP2.

With the way cookie settings work with most every brand of browser these days - a user has to
go into their settings/preferences and deliberately disable the "session" cookie settings
themselves, therefore they should know how to turn them back on.

Hope this helps. Cheers...

Scott Cadillac,
XML-Extranet ~ 403-254-5002 ~ [EMAIL PROTECTED]
------------
Well-formed Programming in C# ASP.NET, Witango and XML
For Hire ~ http://xmlx.ca/forhire
------------
IExtranet ~ http://IExtranet.net
------------
Weblog ~ http://xmlx.ca
Forums ~ http://forums.xmlx.ca
Knowledge Base ~ http://kb.xmlx.ca
------------
P.O. Box 69006
RPO Bridlewood SW
Calgary, Alberta
Canada T2Y 4T9



-----Original Message-----
From: Roland Dumas <[EMAIL PROTECTED]>
To: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
Date: Wed, 13 Oct 2004 07:17:00 -0700
Subject: Re: Witango-Talk: Cookies

Many with cookies off don't know about cookies. They just dialed up the
"security" setting in MSIE to "high" after reading articles on all the
evil
things that lurk on the web. Telling them that they have to lower
security
settings for your site confuses and scares them. Educating a user can
be a
challenge.


On 10/13/04 6:25 AM, "John McGowan" <[EMAIL PROTECTED]> wrote:

> Listen to Scott on this one.  If you can educate just one user that
> turning session cookies back on isn't going to blow up their computer
or
> get their credit card stolen then our society becomes one step closer
to
> nirvana.
>
> If you were an auto dealer and a customer brought their car in and
said
> they didn't "like to have the battery plugged in", but wanted to know
> why they couldn't start their car,  would you install a hand crank
for
> them to start their car?
>
> I know... It's a weak analogy...   :)
>
> /John
>
> Scott Cadillac wrote:
>
>> Hi Steve,
>>
>> If you recall, the point and the conclusion on that long discussion
was
>> "security" - if a user
>> has session-cookies disabled, then so be it. Just display a message
telling
>> them to turn it
>> back on before allowing them to proceed (provide instructions).
>>
>> This is the most secure way to handle session management for any web
platform
>> (SSL is a
>> different matter).
>>
>> The issue is about security - why compromise security for user
convenience.
>> Giving them
>> convenience now just delays more serious problems until a later
date.
>>
>> ----
>> Yes, additional user variables may be assigned on the Server because
of
>> missing session-
>> cookies. Unfortunately, it is one down-side to pay for better
security for
>> your visitors.
>>
>> -----
>> As for testing for cookies, writing a bit of code for this is not
difficult -
>> but keep in mind
>> there is a different between "session" cookies and regular cookies,
and that
>> most every modern
>> browser has settings for both kinds (and that some browsers use
different
>> terminology to
>> describe these two kinds of cookies).
>>
>> Hope this helps. Cheers....
>>
>> Scott Cadillac,
>> XML-Extranet ~ 403-254-5002 ~ [EMAIL PROTECTED]
>> ------------
>> Well-formed Programming in C# ASP.NET, Witango and XML
>> For Hire ~ http://xmlx.ca/forhire
>> ------------
>> IExtranet ~ http://IExtranet.net
>> ------------
>> Weblog ~ http://xmlx.ca
>> Forums ~ http://forums.xmlx.ca
>> Knowledge Base ~ http://kb.xmlx.ca
>> ------------
>> P.O. Box 69006
>> RPO Bridlewood SW
>> Calgary, Alberta
>> Canada T2Y 4T9
>>
>>
>>
>> -----Original Message-----
>> From: "Fogelson, Steve" <[EMAIL PROTECTED]>
>> To: "Witango User Group (E-mail)" <[EMAIL PROTECTED]>
>> Date: Tue, 12 Oct 2004 15:40:48 -0500
>> Subject: Witango-Talk: Cookies
>>
>>
>>
>>> I have built my shopping cart application without <@userreference>
tag
>>> at
>>> the end of each url. It seemed after all the discussion about a
year
>>> ago
>>> that this was the way to go. Especially with search engine spiders
and
>>> hijacked sessions.
>>>
>>> I talked to one of our online customers today and discovered that
he
>>> was
>>> being assigned a new session id every time he added an item to his
>>> cart.
>>>
>>> I'm trying to figure out a strategy for handling customers that
have
>>> disabled cookies, besides requiring them to sign in when entering
the
>>> site.
>>>
>>> Is there a way to check to see if they have cookies disabled?
>>>
>>> Any ideas on how to handle customers that have disabled cookies?
>>>
>>> I am also concerned about all the user variables being created for
this
>>> type
>>> of customer. Thanks in advance for your help.
>>>
>>> Steve Fogelson
>>> Internet Commerce Solutions
>>>
>>>
>>>
_______________________________________________________________________
>>> _
>>> TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
>>>
>>>
>>
>>
>>
_______________________________________________________________________
_
>> TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
>>
>>
>>
>
_______________________________________________________________________
_
> TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
>


-----------------------------------------
Roland Dumas
Roberts Information Services
310 W. Bellevue Avenue
San Mateo CA 94402
650-347-1373
415-412-9300 (cell)
[EMAIL PROTECTED]
SMS: http://new.servqual.com/html/sms.tml


_______________________________________________________________________
_
TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf



________________________________________________________________________
TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf



________________________________________________________________________
TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf

Reply via email to