Re: Witango-Talk: Inadvertant session highjacking?

[Roland Dumas]

If you use the userreferenceargument, this is inevitable.  Consider this scenario: I hit a page and send a link to someone - I'm copying the URL, arguments and all. If the person hits the URL before the session expires, we're sharing a session. I've seen this happen (before we nuked userreferenceargs ) where a chain is set up and people are joining a common session. A variation on this is someone sending a URL out to a list or posting it someplace.  It's easy to have shared sessions. Party lines, if you will. Appending random numbers won't cure this. It's not a cache issue.  Roland A. Dumas 310 W. Bellevue Ave. San Mateo, CA 94402 650-347-1373 415-412-9300 (cell) AIM: radumas [EMAIL PROTECTED] On Aug 24, 2005, at 12:26 PM, Alan Wolfe wrote: Hey everyone, I'm part of a company making web based software for school districts, we just started getting reports from a district we have had on board for a couple years saying that they are just navigating through the system and all of a sudden they will be using another person's session. I'm not sure if the HTTP response is going to the wrong place (dont even know how probable that is) or if a router somewhere is cacheing the pages or what. we use the userref arg on the URL lines because when we take them off, there are massive cacheing issues. we could do @random instead like scott has suggested in the past but so far userrefferenceargument has worked ok for us. Since this is the government (we all know how the govt. works!) , I'm really thinking its a misconfigured network issue on their end but I'm really not sure, anyone know how to better protect your code from issues like this? Thanks! Alan ________________________________________________________________________ TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf ________________________________________________________________________ TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf