Witango-Talk: Transaction riddle...

This problem drives me crazy... It took my college and I ages to figure what happening: After developing a witango application on a developing machine on which everything works fine, we moved the whole thing to our server - Win 2000 / MS SQL. We're using the developing version on the first

RE: Witango-Talk: Transaction riddle...

Do you have the ftf47 installed? Here's a quote from a post earlier this year. Following it resolved a similar problem I had with transactions. We just installed FTF47 on tango2000/SP1 ,IIS5 and W2k. All seemed fine, BUT every time we load a page with transactions in it locks up the whole

Witango-Talk: Determine File size.

Hello list, I have 2 subjects here: First; I need to know if we can search past discussion threads from witango-talk at witango site or ??. I am sure this will help me save your time by not asking a question you already answered many times before. Last; Anyway, I got various ways to

RE: Witango-Talk: Determine File size.

I think Ben Johansen has the archives at http://www.witango.ws To get a file length you could read the file with a file read action and check its length with @length or @calc expr=len(...) but if it's a binary file or a very big file this could cause problems. A better way is to run a DOS dir

Witango-Talk: Preventing Session hijacking

Hi, Has anyone got any solutions for preventing session hijacking in Tango? To handle the possibility of a user having cookies turned off, we've made sure @USERREFERENCEARGUMENT is added to every URL. That solution has worked well, until recently. One of our customers copied a URL from the

Re: Witango-Talk: Preventing Session hijacking

Hello, Mike Tyranski! On 9/12/2002 10:38 AM -0500, you wrote in whole or part: Eric, Are they accessing the site and then immediately emailing others the link? I would think if you tried to use a link where the user reference was more than X minutes old, that particular user reference would

Re: Witango-Talk: Preventing Session hijacking

This problem is endemic to all web development tools. There is a way to address the problem: certificates and PKI. By the way, this is like someone buying a ticket to the movies, holding the backdoor open for their friends and then complaining that people didn't pay to see the movie. A large

RE: Witango-Talk: Preventing Session hijacking

Eric, You could test for that particular userReference, and refresh the page with a different one if you get it. As a more generic solution you could check if the referer is empty (or other than your site), then repost the page with a new userreference. Dave -Original Message- From:

Re: Witango-Talk: Preventing Session hijacking

Would this be possible- 1. Make a re-direct page for the offending URL, send them to an identical page but with no userrference. 2. Purge all variables. Now when some customer clicks on the link from marketing he will be brought to the appropriate page and eventually assigned a new

Re: Witango-Talk: Preventing Session hijacking

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 This is what I call session trapping. If the user ref is sent in the URL, check it against the current user ref in the session. If it's not equal to the same value, then throw the user to a page and force a new session. Clear the user ref and

Re: [Re: Witango-Talk: Preventing Session hijacking]

correct me If I am wrong!one easy solution I thought was to check if the @CGIPARAM NAME=referer is empty in every TAF file.if it is empty then we can actually redirect him to access denied page. I might be wrong in giving this solution.But it sounds good to me for if the other user is trying to

Re: Witango-Talk: Preventing Session hijacking

I do this most of the time. (Of course, it is helpful to spell UserReference correctly:-)) A page can still be hacked, but the hacker has to view the source, and won't find the arguments in the url history. Bill On Thu, 12 Sep 2002 10:14:26 -0700, Atrix Wolfe wrote: i have a silly idea that

Re: Witango-Talk: Preventing Session hijacking

This would suck, but you could turn every link into a form. That way the ref wouldn't ben in the URL. Mike Eric Weidl wrote: Hi, Has anyone got any solutions for preventing session hijacking in Tango? To handle the possibility of a user having cookies turned off, we've made sure

RE: Witango-Talk: Preventing Session hijacking

If you're running a secure application it's a good idea to check the referer on every hit, and if it's not from your site, then purge the user scope and call your login method. This helps to prevent people from hacking your forms and changing values. If your application is structured to use a

Re: Witango-Talk: Sometimes I think I am going backwards

I've had problems with this before. The solution I use is to just check the first character of the file with: @left @ARG Cat_Banner_Image 1 Is not empty Witango seems to like this much better. Stefan At 01:58 PM 9/12/2002 -0500, you wrote: I had this working and made some modifications to

RE: Witango-Talk: Sometimes I think I am going backwards

Binary files will break metatags sometimes. Try @ifempty @left str=@arg Cat_Banner_Image numchars=5 This will test if the first 5 characters are not empty. Since the file starts with
GIF87a the offending characters should be omitted. Dave -Original Message- From: [EMAIL PROTECTED]

Re: Witango-Talk: Preventing Session hijacking

Hello, John Hotaling! On 9/12/2002 2:45 PM -0400, you wrote in whole or part: This is a start. frameset interesting We use this technique on some sites, but make the bottom frame as 0 (zero) pixels: frameset rows=100%,* ... frames here ... /frameset WARNING! the savvy user can click out

RE: Witango-Talk: Sometimes I think I am going backwards

Thanks Dave worked great. Steve -Original Message- From: David Shelley [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 12, 2002 1:57 PM To: Multiple recipients of list witango-talk Subject: RE: Witango-Talk: Sometimes I think I am going backwards Binary files will break metatags

RE: Witango-Talk: Sometimes I think I am going backwards

Thanks Stefan Worked great Steve -Original Message- From: Stefan Gonick [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 12, 2002 1:50 PM To: Multiple recipients of list witango-talk Subject: Re: Witango-Talk: Sometimes I think I am going backwards I've had problems with this

RE: Witango-Talk: Preventing Session hijacking

I'm sure it's understood to most of us on the list that no one thing can ensure security, and that security is a process not a technology or product. And I am sure that most of us on this list are aware of the idea of point of diminishing returns. For those who don't it means that the

RE: Witango-Talk: Preventing Session hijacking

You could log the IP address with the user userreferencevariable and then validate that they continue to match. = Original Message from [EMAIL PROTECTED] at 9/12/02 11:56 am If you're running a secure application it's a good idea to check the referer on every hit, and if it's not from your

Witango-Talk: Custom Tag Limitation Question

Currently with Tango there is a limitation with custom tags All custom meta tags are empty tags; that is, custom meta tags can have attributes but not content, because they do not have start and end tags. Does Witango overcome or plan to overcome this limitation with custom tags? It would be a

RE: Witango-Talk: Preventing Session hijacking

In case you missed it earlier in this thread, this doesn't handle NAT (or anonymizers) where there isn't a one-to-one mapping of users to IP addresses. You could log the IP address with the user userreferencevariable and then validate that they continue to match. = Original Message from

Re: Witango-Talk: Custom Tag Limitation Question

Hi I'm unsure but I currently don't see any concrete use of closing metatags appart for loops or sessions, so I'm unable to say if could be usefull for the developer, maybe for managing some sort of constraints, but I think this would be too complex to manage with. Does anyone see any use for

RE: Witango-Talk: Preventing Session hijacking

Anthony mentioned One way to limit this is to also include the client's IP as part of the userKey, but then those people behind a NAT could still end up sharing a session. I use a similar method but I include a timestamp: @CURRENTTIMESTAMP FORMAT='%Y%m%d%H%M%S' when they log on and I have no