Thank you Bill, you "do" understand programming for the web - you get it!
-----Original Message----- From: Bill Conlon <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Date: Wed, 13 Oct 2004 10:42:40 -0700 Subject: Re: Witango-Talk: Cookies > > On Wednesday, October 13, 2004, at 10:26 AM, Roland Dumas wrote: > > > Case 1: spidered session has expired. Someone hits the link with the > > expired > > userref and has cookies off. I believe they just revived that session > - > > started another with the same id. > > They have only revived this in the sense that the userreference will > appear multiple times in the log. That's a housekeeping issue only. > > But, if that userreference is in google, for example, and User1, User2, > > etc., all follow a link containing the same userreference, then you > have a problem. > > > > > Case 2: (real) Person on a witango site that uses userrefarg. Copies > > link > > and posts it to a group. Everyone in that group now has direct access > > > to a > > live session. That session stays live as long as someone in the group > > > it > > hitting it within the timeout period. Sort of a flashmob session. > > > > > > Same as above. > > This is why userreference is unique (on the server at least). If you > only allow the user to have userreference in their session cookie, > you're save. But if you let people pass around the userrefernce ina > URL, it's unsafe. > > Moral: Wear a condom. Use a session cookie. > > > > On 10/13/04 10:17 AM, "Stefan Gonick" <[EMAIL PROTECTED]> > > wrote: > > > >> Hi Scott, > >> > >> Forgive me if I find this explanation less than satisfying. :) > >> If sessions typically expire after 30 minutes of inactivity, > >> then spidered sessions would extremely likely have expired > >> by the time someone has clicked on the link. Am I missing > >> something here? > >> > >> Stefan > >> > >> At 01:10 PM 10/13/2004, you wrote: > >>> Hi Stefan, > >>> > >>> Who knows if it ever expired? > >>> > >>> Personally, I think the bug is using <@USERREFERENCEARGUMENT> > period. > >>> > >>> Just remove it - and more than one problem is solved. > >>> > >>> > >>> -----Original Message----- > >>> From: Stefan Gonick <[EMAIL PROTECTED]> > >>> To: [EMAIL PROTECTED] > >>> Date: Wed, 13 Oct 2004 12:58:56 -0400 > >>> Subject: Re: Witango-Talk: Cookies > >>> > >>>> What kind of factor can lead to the resurrection of an expired > >>>> session? > >>>> > >>>> Stefan > >>>> > >>>> At 01:04 PM 10/13/2004, you wrote: > >>>>> Hi Stefan, > >>>>> > >>>>>> I STILL don't understand why UserReferences from a week ago > should > >>>>>> lead to session hijacking. Wouldn't this UserReference have > >>>>>> expired > >>>> a > >>>>>> long > >>>>>> time ago? Wouldn't that result in creating a new UserReference? > If > >>>> not, > >>>>>> wouldn't this be considered a bug? > >>>>> > >>>>> There can be more than one factor involved with why this can > >>>>> happen, > >>>> and > >>>>> therefore hard to > >>>>> eliminate. > >>>>> > >>>>> Keep in mind this problem plagues more web development platforms > >>>>> than > >>>> just > >>>>> Witango. > >>>>> > >>>>> This is more of a flaw in the Internet "architecture" brought > >>>>> about by > >>>> the > >>>>> addition of > >>>>> user "convenience" - but that convenience is superseded now by > >>>> security > >>>>> concerns. > >>>>> > >>>>> Basically, in my opinion - just don't use > <@USERREFERENCEARGUMENT> > >>>>> for > >>>> any > >>>>> reason. > >>>>> > >>>>> Hope this helpful. Cheers.... > >>>>> > >>>>>> Stefan > >>>>>> > >>>>>> ===================================================== > >>>>>> Database WebWorks: Dynamic web sites through database > integration > >>>>>> http://www.DatabaseWebWorks.com > >>>>>> > >>>>>> > >>>> > ____________________________________________________________________ > >>>> ___ > >>>>>> _ > >>>>>> TO UNSUBSCRIBE: Go to > >>>>>> http://www.witango.com/developer/maillist.taf > >>>>> > >>>>> > >>>>> > ___________________________________________________________________ > >>>>> ___ > >>>> __ > >>>>> TO UNSUBSCRIBE: Go to > http://www.witango.com/developer/maillist.taf > >>>> > >>>> ===================================================== > >>>> Database WebWorks: Dynamic web sites through database integration > >>>> http://www.DatabaseWebWorks.com > >>>> > >>>> > ____________________________________________________________________ > >>>> ___ > >>>> _ > >>>> TO UNSUBSCRIBE: Go to > http://www.witango.com/developer/maillist.taf > >>> > >>> > >>> > _____________________________________________________________________ > >>> ___ > >>> TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf > >> > >> ===================================================== > >> Database WebWorks: Dynamic web sites through database integration > >> http://www.DatabaseWebWorks.com > >> > >> > ______________________________________________________________________ > >> __ > >> TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf > >> > > > > > > ----------------------------------------- > > Roland Dumas > > Roberts Information Services > > 310 W. Bellevue Avenue > > San Mateo CA 94402 > > 650-347-1373 > > 415-412-9300 (cell) > > [EMAIL PROTECTED] > > SMS: http://new.servqual.com/html/sms.tml > > > > > > > _______________________________________________________________________ > > _ > > TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf > > > > _______________________________________________________________________ > _ > TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf ________________________________________________________________________ TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
