Re: Witango-Talk: Cookies

Rick Sanders Wed, 13 Oct 2004 09:14:29 -0700


Hey Scott,

I've installed several new machines, and upgraded several machines to Windows XP SP1 over the past year. Every time I do, the WiTango applications I have that require cookies do not keep the session cookies. So, by over-riding the automatic cookie handling, and clicking "Always accept session cookies" the WiTango application worked.

This article explains the default cookie handling within IE 6:
http://support.microsoft.com/kb/293222/EN-US/

So, either it was a bug in XP, IE, or my WiTango application?

The joys of Microsoft.

Rick

Hi Rick,

Actually by default in MSIE, session cookies are disabled. To allow
session
cookies, you actually have to manually turn them on.

This has been since SP1 of Windows XP, or MSIE 6. MSIE 6 has tightened
security, so when you install it be default, session cookies, first
party,
and third party cookies are all disabled.


Check out the following article.

http://support.microsoft.com/default.aspx?scid=kb;en-us;283185

I think you'll find that this is generally not the case, but of course there are always exceptions to every rule, depending on where you get your software and hardware, etc...

So, an average user won't know this. If a user is concerned about
security,
they can just enable session cookies, but disable the rest. This way,
your
WiTango applications will work.

And, cookies have become a major security issue. Not because of
viruses, but
Adware that can track everything you type on the web and send it back
to a
marketing company. So, the tracking cookies have become a big security
issue.


Again, it's not the batteries fault.

Note, tracking cookies (3rd party) are different than session-cookies and most modern browsers provide separate settings for each.

Adware can also slow down your computer, and cause the browser
to not
function properly either.


Adware of this nature goes way beyond a problem with cookies.

I hope this information is useful.


Edumacation is always a useful thing. Thank you.....

Rick Sanders


> Hi Roland,
>
> I hear ya - but actually...turning up the Security settings in MSIE
to
> "high" does _not_
> disable regular cookie or "session" cookie functionality. Security
and
> cookies are two
> different things.
>
> Most settings in modern browsers do not directly connect cookies and
> security - because cookies
> are not actually a "Security" issue, they are a "Privacy" issue.
>
> This includes Windows XP SP2.
>
> With the way cookie settings work with most every brand of browser
these
> days - a user has to
> go into their settings/preferences and deliberately disable the
"session"
> cookie settings
> themselves, therefore they should know how to turn them back on.
>
> Hope this helps. Cheers...
>
> Scott Cadillac,
> XML-Extranet ~ 403-254-5002 ~ [EMAIL PROTECTED]
> ------------
> Well-formed Programming in C# ASP.NET, Witango and XML
> For Hire ~ http://xmlx.ca/forhire
> ------------
> IExtranet ~ http://IExtranet.net
> ------------
> Weblog ~ http://xmlx.ca
> Forums ~ http://forums.xmlx.ca
> Knowledge Base ~ http://kb.xmlx.ca
> ------------
> P.O. Box 69006
> RPO Bridlewood SW
> Calgary, Alberta
> Canada T2Y 4T9
>
>
>
> -----Original Message-----
> From: Roland Dumas <[EMAIL PROTECTED]>
> To: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
> Date: Wed, 13 Oct 2004 07:17:00 -0700
> Subject: Re: Witango-Talk: Cookies
>
>> Many with cookies off don't know about cookies. They just dialed up
the
>> "security" setting in MSIE to "high" after reading articles on all
the
>> evil
>> things that lurk on the web. Telling them that they have to lower
>> security
>> settings for your site confuses and scares them. Educating a user
can
>> be a
>> challenge.
>>
>>
>> On 10/13/04 6:25 AM, "John McGowan" <[EMAIL PROTECTED]> wrote:
>>
>> > Listen to Scott on this one.  If you can educate just one user
that
>> > turning session cookies back on isn't going to blow up their
computer
>> or
>> > get their credit card stolen then our society becomes one step
closer
>> to
>> > nirvana.
>> >
>> > If you were an auto dealer and a customer brought their car in and
>> said
>> > they didn't "like to have the battery plugged in", but wanted to
know
>> > why they couldn't start their car,  would you install a hand crank
>> for
>> > them to start their car?
>> >
>> > I know... It's a weak analogy...   :)
>> >
>> > /John
>> >
>> > Scott Cadillac wrote:
>> >
>> >> Hi Steve,
>> >>
>> >> If you recall, the point and the conclusion on that long
discussion
>> was
>> >> "security" - if a user
>> >> has session-cookies disabled, then so be it. Just display a
message
>> telling
>> >> them to turn it
>> >> back on before allowing them to proceed (provide instructions).
>> >>
>> >> This is the most secure way to handle session management for any
web
>> platform
>> >> (SSL is a
>> >> different matter).
>> >>
>> >> The issue is about security - why compromise security for user
>> convenience.
>> >> Giving them
>> >> convenience now just delays more serious problems until a later
>> date.
>> >>
>> >> ----
>> >> Yes, additional user variables may be assigned on the Server
because
>> of
>> >> missing session-
>> >> cookies. Unfortunately, it is one down-side to pay for better
>> security for
>> >> your visitors.
>> >>
>> >> -----
>> >> As for testing for cookies, writing a bit of code for this is not
>> difficult -
>> >> but keep in mind
>> >> there is a different between "session" cookies and regular
cookies,
>> and that
>> >> most every modern
>> >> browser has settings for both kinds (and that some browsers use
>> different
>> >> terminology to
>> >> describe these two kinds of cookies).
>> >>
>> >> Hope this helps. Cheers....
>> >>
>> >> Scott Cadillac,
>> >> XML-Extranet ~ 403-254-5002 ~ [EMAIL PROTECTED]
>> >> ------------
>> >> Well-formed Programming in C# ASP.NET, Witango and XML
>> >> For Hire ~ http://xmlx.ca/forhire
>> >> ------------
>> >> IExtranet ~ http://IExtranet.net
>> >> ------------
>> >> Weblog ~ http://xmlx.ca
>> >> Forums ~ http://forums.xmlx.ca
>> >> Knowledge Base ~ http://kb.xmlx.ca
>> >> ------------
>> >> P.O. Box 69006
>> >> RPO Bridlewood SW
>> >> Calgary, Alberta
>> >> Canada T2Y 4T9
>> >>
>> >>
>> >>
>> >> -----Original Message-----
>> >> From: "Fogelson, Steve" <[EMAIL PROTECTED]>
>> >> To: "Witango User Group (E-mail)" <[EMAIL PROTECTED]>
>> >> Date: Tue, 12 Oct 2004 15:40:48 -0500
>> >> Subject: Witango-Talk: Cookies
>> >>
>> >>
>> >>
>> >>> I have built my shopping cart application without
<@userreference>
>> tag
>> >>> at
>> >>> the end of each url. It seemed after all the discussion about a
>> year
>> >>> ago
>> >>> that this was the way to go. Especially with search engine
spiders
>> and
>> >>> hijacked sessions.
>> >>>
>> >>> I talked to one of our online customers today and discovered
that
>> he
>> >>> was
>> >>> being assigned a new session id every time he added an item to
his
>> >>> cart.
>> >>>
>> >>> I'm trying to figure out a strategy for handling customers that
>> have
>> >>> disabled cookies, besides requiring them to sign in when
entering
>> the
>> >>> site.
>> >>>
>> >>> Is there a way to check to see if they have cookies disabled?
>> >>>
>> >>> Any ideas on how to handle customers that have disabled cookies?
>> >>>
>> >>> I am also concerned about all the user variables being created
for
>> this
>> >>> type
>> >>> of customer. Thanks in advance for your help.
>> >>>
>> >>> Steve Fogelson
>> >>> Internet Commerce Solutions
>> >>>
>> >>>
>> >>>
>>
_______________________________________________________________________
>> >>> _
>> >>> TO UNSUBSCRIBE: Go to
http://www.witango.com/developer/maillist.taf
>> >>>
>> >>>
>> >>
>> >>
>> >>
>>
_______________________________________________________________________
>> _
>> >> TO UNSUBSCRIBE: Go to
http://www.witango.com/developer/maillist.taf
>> >>
>> >>
>> >>
>> >
>>
_______________________________________________________________________
>> _
>> > TO UNSUBSCRIBE: Go to
http://www.witango.com/developer/maillist.taf
>> >
>>
>>
>> -----------------------------------------
>> Roland Dumas
>> Roberts Information Services
>> 310 W. Bellevue Avenue
>> San Mateo CA 94402
>> 650-347-1373
>> 415-412-9300 (cell)
>> [EMAIL PROTECTED]
>> SMS: http://new.servqual.com/html/sms.tml
>>
>>
>>
_______________________________________________________________________
>> _
>> TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
>
>
>
_______________________________________________________________________
_
> TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
>


_______________________________________________________________________
_
TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf

________________________________________________________________________
TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf

________________________________________________________________________
TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf

Re: Witango-Talk: Cookies

Reply via email to