I meant to write:
Yes. If you use HTTP cleartext transport instead of HHTPS, then a
packet sniffer can grab the cookie. But the normal hijack route is
by copying and pasting URLs into an email that gets passed around.
So one thing I do is only allow one concurrent login (IP address) per
userrefernce. This limits the problem to nefarious co-workers in the
same NATed subnet, ie., they present the same public IP address to my
server. (But if you can't trust your co-worker, she's on the
management track and will be your boss someday). I The downside is
that some users close their window mistakenly without logging out,
and then they can't login again until the previous session times
out. But we allow them to check a box to force their old session to
expire.
On Jun 8, 2006, at 5:10 PM, William M Conlon wrote:
Yes, if you use HTTP cleartext transport, you can use a packet
sniffer and grab the cookie. But the normal hijack route is by
copying and pasting URLs into an email that gets passed around.
So one thing I do is only allow one concurrent login (IP address)
per userrefernce. This limits the problem nefarious to co-workers
in the same NETed subnet The downside is that some users close
their window mistakenly without logging out, and then they can't
login again until the previous session times out. But we allow
them to check a box to force their old session to expire.
On Jun 8, 2006, at 4:57 PM, Alan Wolfe wrote:
Could someone spoof a cookie's value just like someone could spoof
a user ref argument to do session hijacking?
On 6/8/06, Robert Garcia <[EMAIL PROTECTED]> wrote:
Yes, but that doesn't solve any of the issues that arise from
using it in a url, you have the same issues, when you don't just
use the cookie methods.
--
Robert Garcia
President - BigHead Technology
VP Application Development - eventpix.com
13653 West Park Dr
Magalia, Ca 95954
ph: 530.645.4040 x222 fax: 530.645.4040
[EMAIL PROTECTED] - [EMAIL PROTECTED]
http://bighead.net/ - http://eventpix.com/
On Jun 8, 2006, at 4:48 AM, Dale Graham wrote:
You can also pass UserReferenceArgument as a hidden argument,
which drops it out of the URL...
I believe it must be in this form <input type="hidden"
name="_userReference" value="<@UserReferenceArgument>">
If I am in error on the format, someone on the list more
knowledgeable can correct this .....
On Jun 7, 2006, at 12:09 PM, GEzra wrote:
Folks I'm dealing with do not like cookies, candies or anything
sweet - spent a lot of time making sure that I was passing
userref in the url to avoid cookies. I'm just gonna see if my
isp can do something about their router, unless my xserve is
doing this NAT, even though its turned off.
Thanks for your help on this Dave, William & Robert!
Ezra
On 2-Jun-06, at 4:23 AM, Robert Garcia wrote:
Yes, they are in the URI, you can see in the log:
_function=validate_user&_UserReference=58FA321F03B02D3E447F5B62
Remove userreference from URI, and only use cookies.
--
Robert Garcia
President - BigHead Technology
VP Application Development - eventpix.com
13653 West Park Dr
Magalia, Ca 95954
ph: 530.645.4040 x222 fax: 530.645.4040
[EMAIL PROTECTED] - [EMAIL PROTECTED]
http://bighead.net/ - http://eventpix.com/
On Jun 1, 2006, at 8:35 PM, William M Conlon wrote:
Are the userref's in the URI? That would allow them to be
shared.
Look in the archive on session hijacking.
On Jun 1, 2006, at 7:37 PM, GEzra wrote:
Hello all!
I looked at my witango log today and it seems like the same
userreference was assigned to two different users, seconds
apart while both were accessing diff. apps.
What's so odd is that the server address of xxx.xxx.xxx.xxx
is being logged as the clients ip. How can this be?
01/06/2006 14:27:19 xxx.xxx.xxx.xxx
[EMAIL PROTECTED] 25272320 1 1 [Application File]
START /apps/login.taf WitangoServer
_function=validate_user&_UserReference=58FA321F03B02D3E447F5B62
01/06/2006 14:27:44 xxx.xxx.xxx.xxx
[EMAIL PROTECTED] 25310208 1 0 [Application File]
START /apps/login.taf WitangoServer
_function=validate_user&_UserReference=58FA321F03B02D3E447F5B62
Any ideas?
thanks,
Ezra
________________________________________________________________
________
TO UNSUBSCRIBE: Go to http://www.witango.com/developer/
maillist.taf
Bill
William M. Conlon, P.E., Ph.D.
To the Point
345 California Avenue Suite 2
Palo Alto, CA 94306
vox: 650.327.2175 (direct)
fax: 650.329.8335
mobile: 650.906.9929
e-mail: mailto:[EMAIL PROTECTED]
web: http://www.tothept.com
_________________________________________________________________
_______
TO UNSUBSCRIBE: Go to http://www.witango.com/developer/
maillist.taf
__________________________________________________________________
______
TO UNSUBSCRIBE: Go to http://www.witango.com/developer/
maillist.taf
___________________________________________________________________
_____
TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
____________________________________________________________________
____ TO UNSUBSCRIBE: Go to http://www.witango.com/developer/
maillist.taf
_____________________________________________________________________
___ TO UNSUBSCRIBE: Go to http://www.witango.com/developer/
maillist.taf
_____________________________________________________________________
___ TO UNSUBSCRIBE: Go to http://www.witango.com/developer/
maillist.taf
Bill
William M. Conlon, P.E., Ph.D.
To the Point
345 California Avenue Suite 2
Palo Alto, CA 94306
vox: 650.327.2175 (direct)
fax: 650.329.8335
mobile: 650.906.9929
e-mail: mailto:[EMAIL PROTECTED]
web: http://www.tothept.com
______________________________________________________________________
__
TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
Bill
William M. Conlon, P.E., Ph.D.
To the Point
345 California Avenue Suite 2
Palo Alto, CA 94306
vox: 650.327.2175 (direct)
fax: 650.329.8335
mobile: 650.906.9929
e-mail: mailto:[EMAIL PROTECTED]
web: http://www.tothept.com
________________________________________________________________________
TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
