On Wednesday, October 13, 2004, at 10:26 AM, Roland Dumas wrote:
Case 1: spidered session has expired. Someone hits the link with the expired
userref and has cookies off. I believe they just revived that session -
started another with the same id.
They have only revived this in the sense that the userreference will appear multiple times in the log. That's a housekeeping issue only.
But, if that userreference is in google, for example, and User1, User2, etc., all follow a link containing the same userreference, then you have a problem.
Case 2: (real) Person on a witango site that uses userrefarg. Copies link
and posts it to a group. Everyone in that group now has direct access to a
live session. That session stays live as long as someone in the group it
hitting it within the timeout period. Sort of a flashmob session.
Same as above.
This is why userreference is unique (on the server at least). If you only allow the user to have userreference in their session cookie, you're save. But if you let people pass around the userrefernce ina URL, it's unsafe.
Moral: Wear a condom. Use a session cookie.
On 10/13/04 10:17 AM, "Stefan Gonick" <[EMAIL PROTECTED]> wrote:
Hi Scott,
Forgive me if I find this explanation less than satisfying. :) If sessions typically expire after 30 minutes of inactivity, then spidered sessions would extremely likely have expired by the time someone has clicked on the link. Am I missing something here?
Stefan
At 01:10 PM 10/13/2004, you wrote:Hi Stefan,
Who knows if it ever expired?
Personally, I think the bug is using <@USERREFERENCEARGUMENT> period.
Just remove it - and more than one problem is solved.
-----Original Message----- From: Stefan Gonick <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Date: Wed, 13 Oct 2004 12:58:56 -0400 Subject: Re: Witango-Talk: Cookies
What kind of factor can lead to the resurrection of an expired session?
Stefan
At 01:04 PM 10/13/2004, you wrote:aHi Stefan,
I STILL don't understand why UserReferences from a week ago should
lead to session hijacking. Wouldn't this UserReference have expirednot,long time ago? Wouldn't that result in creating a new UserReference? Ifandwouldn't this be considered a bug?
There can be more than one factor involved with why this can happen,justtherefore hard to eliminate.
Keep in mind this problem plagues more web development platforms thantheWitango.
This is more of a flaw in the Internet "architecture" brought about bysecurityaddition of user "convenience" - but that convenience is superseded now byanyconcerns.
Basically, in my opinion - just don't use <@USERREFERENCEARGUMENT> for____________________________________________________________________ ___reason.
Hope this helpful. Cheers....
Stefan
===================================================== Database WebWorks: Dynamic web sites through database integration http://www.DatabaseWebWorks.com
___
TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
___________________________________________________________________ ___TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
===================================================== Database WebWorks: Dynamic web sites through database integration http://www.DatabaseWebWorks.com
____________________________________________________________________ ___
_
TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
_____________________________________________________________________ ___
TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
===================================================== Database WebWorks: Dynamic web sites through database integration http://www.DatabaseWebWorks.com
______________________________________________________________________ __
TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
----------------------------------------- Roland Dumas Roberts Information Services 310 W. Bellevue Avenue San Mateo CA 94402 650-347-1373 415-412-9300 (cell) [EMAIL PROTECTED] SMS: http://new.servqual.com/html/sms.tml
_______________________________________________________________________ _
TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
________________________________________________________________________ TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
