This problem drives me crazy...
It took my college and I ages to figure what happening:
After developing a witango application on a developing machine on which
everything works fine, we moved the whole thing to our server - Win 2000 /
MS SQL. We're using the developing version on the first
Do you have the ftf47 installed?
Here's a quote from a post earlier this year. Following it resolved a
similar problem I had with transactions.
We just installed FTF47 on tango2000/SP1 ,IIS5 and W2k. All seemed fine,
BUT
every time we load a page with transactions in it locks up the whole
Hello list,
I have 2 subjects here:
First;
I need to know if we can search past discussion
threads from witango-talk at witango site or ??.
I am sure this will help me save your time
by not asking a question you already answered
many times before.
Last;
Anyway, I got various ways to
I think Ben Johansen has the archives at http://www.witango.ws
To get a file length you could read the file with a file read action and
check its length with @length or @calc expr=len(...) but if it's a
binary file or a very big file this could cause problems. A better way is to
run a DOS dir
Hi,
Has anyone got any solutions for preventing session hijacking in Tango?
To handle the possibility of a user having cookies turned off, we've made
sure @USERREFERENCEARGUMENT is added to every URL. That solution has
worked well, until recently.
One of our customers copied a URL from the
Hello, Mike Tyranski! On 9/12/2002 10:38 AM -0500, you wrote in whole or part:
Eric,
Are they accessing the site and then immediately emailing others the
link? I would think if you tried to use a link where the user reference
was more than X minutes old, that particular user reference would
This problem is endemic to all web development tools. There is a way to
address the problem: certificates and PKI.
By the way, this is like someone buying a ticket to the movies, holding
the backdoor open for their friends and then complaining that people
didn't pay to see the movie. A large
Eric,
You could test for that particular userReference, and refresh the page with
a different one if you get it.
As a more generic solution you could check if the referer is empty (or other
than your site), then repost the page with a new userreference.
Dave
-Original Message-
From:
Would this be possible-
1. Make a re-direct page for the offending URL, send them to an identical page
but with no userrference.
2. Purge all variables.
Now when some customer clicks on the link from marketing he will be brought to
the appropriate page and eventually assigned a new
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
This is what I call session trapping.
If the user ref is sent in the URL, check it against the current user
ref in the session. If it's not equal to the same value, then throw the
user to a page and force a new session. Clear the user ref and
correct me If I am wrong!one easy solution I thought was to check if the
@CGIPARAM NAME=referer is empty in every TAF file.if it is empty then we
can actually redirect him to access denied page.
I might be wrong in giving this solution.But it sounds good to me for if the
other user is trying to
I do this most of the time. (Of course, it is helpful to spell
UserReference correctly:-)) A page can still be hacked, but the hacker
has to view the source, and won't find the arguments in the url history.
Bill
On Thu, 12 Sep 2002 10:14:26 -0700, Atrix Wolfe wrote:
i have a silly idea that
This would suck, but you could turn every link into a form. That way
the ref wouldn't ben in the URL.
Mike
Eric Weidl wrote:
Hi,
Has anyone got any solutions for preventing session hijacking in Tango?
To handle the possibility of a user having cookies turned off, we've made
sure
If you're running a secure application it's a good idea to check the referer
on every hit, and if it's not from your site, then purge the user scope and
call your login method. This helps to prevent people from hacking your forms
and changing values. If your application is structured to use a
I've had problems with this before. The solution I use is to
just check the first character of the file with:
@left @ARG Cat_Banner_Image 1 Is not empty
Witango seems to like this much better.
Stefan
At 01:58 PM 9/12/2002 -0500, you wrote:
I had this working and made some modifications to
Binary files will break metatags sometimes.
Try @ifempty @left str=@arg Cat_Banner_Image numchars=5
This will test if the first 5 characters are not empty. Since the file
starts with GIF87a the offending characters should be omitted.
Dave
-Original Message-
From: [EMAIL PROTECTED]
Hello, John Hotaling! On 9/12/2002 2:45 PM -0400, you wrote in whole or part:
This is a start. frameset interesting
We use this technique on some sites, but make the bottom frame as 0 (zero) pixels:
frameset rows=100%,*
... frames here ...
/frameset
WARNING! the savvy user can click out
Thanks Dave worked great.
Steve
-Original Message-
From: David Shelley [mailto:[EMAIL PROTECTED]]
Sent: Thursday, September 12, 2002 1:57 PM
To: Multiple recipients of list witango-talk
Subject: RE: Witango-Talk: Sometimes I think I am going backwards
Binary files will break metatags
Thanks Stefan
Worked great
Steve
-Original Message-
From: Stefan Gonick [mailto:[EMAIL PROTECTED]]
Sent: Thursday, September 12, 2002 1:50 PM
To: Multiple recipients of list witango-talk
Subject: Re: Witango-Talk: Sometimes I think I am going backwards
I've had problems with this
I'm sure it's understood to most of us on the list that no one thing can ensure
security, and that security is a process not a technology or product. And I am sure
that most of us on this list are aware of the idea of point of diminishing returns.
For those who don't it means that the
You could log the IP address with the user userreferencevariable and then
validate that they continue to match.
= Original Message from [EMAIL PROTECTED] at 9/12/02 11:56 am
If you're running a secure application it's a good idea to check the referer
on every hit, and if it's not from your
Currently with Tango there is a limitation with custom tags
All custom meta tags are empty tags; that is, custom meta tags can
have attributes but not content, because they do not have start and end
tags.
Does Witango overcome or plan to overcome this limitation with custom
tags? It would be a
In case you missed it earlier in this thread, this doesn't handle NAT (or
anonymizers) where there isn't a one-to-one mapping of users to IP
addresses.
You could log the IP address with the user userreferencevariable and then
validate that they continue to match.
= Original Message from
Hi
I'm unsure but I currently don't see any concrete use of closing metatags
appart for loops or sessions, so I'm unable to say if could be usefull for
the developer, maybe for managing some sort of constraints, but I think this
would be too complex to manage with.
Does anyone see any use for
Anthony mentioned One way to limit this is to also
include the client's IP as part of the userKey, but
then those people behind a NAT could still end up
sharing a session.
I use a similar method but I include a timestamp:
@CURRENTTIMESTAMP FORMAT='%Y%m%d%H%M%S'
when they log on and I have no
25 matches
Mail list logo