This problem is endemic to all web development tools. There is a way to
address the problem: certificates and PKI.
By the way, this is like someone buying a ticket to the movies, holding
the backdoor open for their friends and then complaining that people
didn't pay to see the movie. A large bank I worked with examined this
issue and decided it was not a significant security problem.
On Thu, 12 Sep 2002, Eric Weidl wrote:
> Hi,
>
> Has anyone got any solutions for preventing session hijacking in Tango?
>
> To handle the possibility of a user having cookies turned off, we've made
> sure <@USERREFERENCEARGUMENT> is added to every URL. That solution has
> worked well, until recently.
>
> One of our customers copied a URL from the site and emailed it to a number
> of other people. Now, they are all sharing the same session and user
> variables.
>
> We've always known this could happen but, only with a recent increase in
> traffic on the site have two users come in during the same timeframe (and
> thus stomped on each others variables).
>
> We've got a couple ideas about how to address the problem, but I'm
> wondering what other approaches others have taken.
>
> Thanks,
>
> Eric
>
> ________________________________________________________________________
> TO UNSUBSCRIBE: send a plain text/US ASCII email to [EMAIL PROTECTED]
> with unsubscribe witango-talk in the message body
>
________________________________________________________________________
TO UNSUBSCRIBE: send a plain text/US ASCII email to [EMAIL PROTECTED]
with unsubscribe witango-talk in the message body
