RE: Witango-Talk: Cookies

Wed, 13 Oct 2004 09:57:58 -0700

I understand about session hijacking regarding a currently active session.

What I don't understand is the whole issue with a search engine spider
saving a link with a userreference in it. If someone clicks on the link after
the original session expired, it doesn't seem like there should be any
session hijacking concerns. The session expired, say, a week ago, so
the Witango server should recognize that and start a new session.
Doesn't this make sense?  Therefore, it should not be a big deal that
search engines spider links with userreferences in them. Otherwise,
it seems to me, there is a bug in the Witango server code. Any thoughts?

Stefan

At 12:54 PM 10/13/2004, you wrote:
Here is a good example of session-hijacking.

You use userreferenceargument and the user at a workstation opens up 2
instances of a browser and both looking at the same page.

You see where this can go...

Ben Johansen - http://www.pcforge.com
Authorized Witango & MDaemon Reseller
Available for Witango Developement


-----Original Message-----
From: Stefan Gonick [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, October 13, 2004 9:38 AM
To: [EMAIL PROTECTED]
Subject: Re: Witango-Talk: Cookies

At 12:33 PM 10/13/2004, you wrote:

>1. I have had userreferencearguments spidered. Don't recall if it was
google
>or another, but it was there.
>2. the userreferenceargument is in the visitor's history. Had a case at a
>non-witango site of going to a site in my history and having the session
>cookie in the URL. When I got to the site, I was joined into a session with
>another visitor and could see that person's order and credit card
>information.


I STILL don't understand why UserReferences from a week ago should
lead to session hijacking. Wouldn't this UserReference have expired a long
time ago? Wouldn't that result in creating a new UserReference? If not,
wouldn't this be considered a bug?

Stefan

=====================================================
Database WebWorks: Dynamic web sites through database integration
http://www.DatabaseWebWorks.com

________________________________________________________________________
TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf


________________________________________________________________________
TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf

=====================================================
Database WebWorks: Dynamic web sites through database integration
http://www.DatabaseWebWorks.com 

________________________________________________________________________
TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf

Reply via email to