Would this be possible-
1. Make a re-direct page for the offending URL, send them to an identical page
but with no userrference.
2. Purge all variables.
Now when some customer clicks on the link from marketing he will be brought to
the appropriate page and eventually assigned a new userreference. That will clear
the immediate problem.
3. Add a time code to the reference and check if the time is within x of current
time. This may lose some variables for extended sessions, and will still allow same-
time hijacking, but will keep the problem confined to x time.
Mark Bushaw
On 12 Sep 2002 at 11:05, Eric Weidl wrote:
> Hi,
>
> >Are they accessing the site and then immediately emailing others the
> >link?
>
> No, a marketing person copied a URL from a page on the site and emailed it
> to 10,000+ customers.
>
>
> >I would think if you tried to use a link where the user reference
> >was more than X minutes old, that particular user reference would have
> >expired.
>
> Hard to believe, but there has been enough consistent traffic that the
> session hasn't expired for 3+ weeks. Enough different users are accessing
> the site throughout the day to keep the session active. BTW, the session
> timeout it set to 30 minutes.
>
>
> >In other words, you shouldn't be able to use that link
> >indefinitely. How do you know if a particular user reference is valid?
>
> We accept any user reference.
>
>
> > IMHO, if they don't have session cookies turned on, they aren't living
> >in this decade.
>
> That's my feeling too, but not our customers. :-(
>
>
> >Passing user references like this is a maintenance nightmare.
>
> Not really. We've been careful to add them to all URLs as we go, so it
> hasn't been a problem.
>
>
> Eric
>
> ________________________________________________________________________
> TO UNSUBSCRIBE: send a plain text/US ASCII email to [EMAIL PROTECTED]
> with unsubscribe witango-talk in the message body
________________________________________________________________________
TO UNSUBSCRIBE: send a plain text/US ASCII email to [EMAIL PROTECTED]
with unsubscribe witango-talk in the message body
