[thesite] Hijacking prevention...

jeff jeff at members.evolt.org
Sun Dec 3 11:43:32 CST 2000


: From: Joshua OIson
: Was any sort of session hijacking prevention
: method installed on evolt this go-around?  That
: could, potentially, cause problems with autovalidators
: examining urls with cfid and cftoken.  Just a thought,
: though I'm not sure you even put one on.

there isn't any session hi-jacking prevention in place at this time.  it's
assumed that if you paste a url from the site while you're logged in and
tokens are appended that you intended to share you session with whom you're
sharing the url.

if you're logged in with a persistent login then you don't need to worry
about it as tokens are not appended.

i believe the problem is that none of the urls on the site point at any
actual documents on the server.  for whatever reason, other servers see that
and report it as a 404, even though our server will still serve up a
document.  very odd.  i discovered the same problem occurs on the sites
we've built at alphashop using this technique so it's not isolated to linux.

i wonder what search engines will think?  crawl or 404?



mailto:jeff at members.evolt.org

More information about the thesite mailing list