Welcome, Guest. Please login or register.

Author Topic: AmigaKit down?  (Read 6611 times)

Description:

0 Members and 1 Guest are viewing this topic.

Offline wurzel

  • Sr. Member
  • ****
  • Join Date: Jan 2007
  • Posts: 273
    • Show only replies by wurzel
    • http://www.wurzel.co.uk
Re: AmigaKit down?
« Reply #29 from previous page: August 13, 2008, 09:43:18 PM »
Yes, it appears to be working, although the usual "splash" page with the flags isn't there.

This is on IBrowse ;)
--
A1200 Power Tower, Blizzard 060 with SCSI, 196mb Ram, Mediator, Voodoo 5500, Spider USB, Hauppage TV, Soundblaster & Fast Ethernet cards, 2gb boot/program drive, 40gb data drive, 40x12x48 CDRW
 

Offline motorollin

  • Hero Member
  • *****
  • Join Date: Nov 2005
  • Posts: 8669
    • Show only replies by motorollin
Re: AmigaKit down?
« Reply #30 on: August 13, 2008, 09:49:20 PM »
Quote
tonyyeb wrote:
Why is the session URL sensitive? I've seen people post links with the session ID in, are people putting personal data at risk?

The session ID is used to identify which user is logged on. When I clicked the link with your session I was able to access the site as if I were logged on as you, meaning I could access your account. That's why it is not secure to post a link with a session ID.
Code: [Select]
10  IT\'S THE FINAL COUNTDOWN
20  FOR C = 1 TO 2
30     DA-NA-NAAAA-NAAAA DA-NA-NA-NA-NAAAA
40     DA-NA-NAAAA-NAAAA DA-NA-NA-NA-NA-NA-NAAAAA
50  NEXT C
60  NA-NA-NAAAA
70  NA-NA NA-NA-NA-NA-NAAAA NAAA-NAAAAAAAAAAA
80  GOTO 10
 

Offline motorollin

  • Hero Member
  • *****
  • Join Date: Nov 2005
  • Posts: 8669
    • Show only replies by motorollin
Re: AmigaKit down?
« Reply #31 on: August 13, 2008, 09:52:39 PM »
Quote
weirdami wrote:
I'd say perhaps that in the further interest of security that those session ID things be not used. If that's impossible, maybe do like how there is a generic URL that loads things from a session ID accessible page.

The session ID can be stored in a cookie and passed to the web server, or passed between pages by storing it in $_SESSION. Either of these would be preferable to passing the session ID in the URL.
Code: [Select]
10  IT\'S THE FINAL COUNTDOWN
20  FOR C = 1 TO 2
30     DA-NA-NAAAA-NAAAA DA-NA-NA-NA-NAAAA
40     DA-NA-NAAAA-NAAAA DA-NA-NA-NA-NA-NA-NAAAAA
50  NEXT C
60  NA-NA-NAAAA
70  NA-NA NA-NA-NA-NA-NAAAA NAAA-NAAAAAAAAAAA
80  GOTO 10
 

Offline sim085

  • Hero Member
  • *****
  • Join Date: Aug 2008
  • Posts: 958
    • Show only replies by sim085
Re: AmigaKit down?
« Reply #32 on: August 13, 2008, 09:53:10 PM »
Mine is working now (cleared cache) although session Id is still passed from the URL.
 

Online amigakit

Re: AmigaKit down?
« Reply #33 on: August 13, 2008, 09:54:45 PM »
We have added additional checking now linked to the Session ID  which will terminate the session.  To catch users that forget to log out, we are implementing a script to auto-logoff if the user leaves the site without selecting logoff.
www.AmigaKit.com - Amiga Reseller | Manufacturer | Developer

New Products  --   Customer Help & Support -- @amigakit
 

Offline ZeBeeDee

  • Hero Member
  • *****
  • Join Date: Jan 2007
  • Posts: 1081
    • Show only replies by ZeBeeDee
Re: AmigaKit down?
« Reply #34 on: August 13, 2008, 10:36:13 PM »
I'm getting no pictures of any products on any Amigakit site in IE6 and Firefox 3 @ the time of posting.



Did somebody forget to pay the photographer now? lol
To err is human ... to BOING divine!

[SIGPIC][/SIGPIC]
 

Offline Lando

  • Hero Member
  • *****
  • Join Date: Jun 2002
  • Posts: 1390
    • Show only replies by Lando
    • https://bartechtv.com
Re: AmigaKit down?
« Reply #35 on: August 13, 2008, 11:07:45 PM »
Quote

ZeBeeDee wrote:
I'm getting no pictures of any products on any Amigakit site in IE6 and Firefox 3 @ the time of posting.


Same here in Safari  :-?
 

Offline Phantom

  • Hero Member
  • *****
  • Join Date: Feb 2006
  • Posts: 631
    • Show only replies by Phantom
    • http://l9memorial.if-legends.org/html/home.html
Re: AmigaKit down?
« Reply #36 on: August 13, 2008, 11:17:53 PM »
It seems to work, but any images don't want to load. This is with iBrowse 2.4.
To Be A True Adventurer, You Ought To Play Real Text Adventures
 

Offline ZeBeeDee

  • Hero Member
  • *****
  • Join Date: Jan 2007
  • Posts: 1081
    • Show only replies by ZeBeeDee
Re: AmigaKit down?
« Reply #37 on: August 13, 2008, 11:42:09 PM »
I'm starting to see some pictures of products in both IE6 & Firefox now.


*Addendum*    

All pictures of products are showing once again for me on the UK site, other Amigakit sites are slowly coming back :-)
To err is human ... to BOING divine!

[SIGPIC][/SIGPIC]
 

Offline klx300r

  • Amiga 1000+AmigaOne X1000
  • Hero Member
  • *****
  • Join Date: Sep 2007
  • Posts: 3261
  • Country: ca
  • Thanked: 20 times
  • Gender: Male
    • Show only replies by klx300r
    • http://mancave-ramblings.blogspot.ca/
Re: AmigaKit down?
« Reply #38 on: August 14, 2008, 01:57:37 AM »
working great for me with firefox 2.01
____________________________________________________________________
c64-dual sids, A1000, A1200-060@50, A4000-CSMKIII
Indivision AGA & Catweasel MK4+= Amazing
! My Master Miggies-Amiga 1000 & AmigaOne X1000 !
--- www.mancave-ramblings.blogspot.ca ---
  -AspireOS.com & Amikit- Amiga for your netbook-
***X1000- I BELIEVE *** :angel:
 

Offline Piru

  • \' union select name,pwd--
  • Hero Member
  • *****
  • Join Date: Aug 2002
  • Posts: 6946
    • Show only replies by Piru
    • http://www.iki.fi/sintonen/
Re: AmigaKit down?
« Reply #39 on: August 14, 2008, 03:07:39 AM »
Session token should be transferred either via cookie or HTTP POST, never thru HTTP GET.

With HTTP GET the session tokens leak to server logs, to other sites via HTTP-referer header, proxies, browser cache, browser url history, links posted by the user etc. This is especially grave if the session is related to financial dealings such as ordering product using some pre-existing account.

http://en.wikipedia.org/wiki/Session_hijacking
http://en.wikipedia.org/wiki/Session_fixation
 

Offline LoadWB

  • Hero Member
  • *****
  • Join Date: Jul 2006
  • Posts: 2901
  • Country: 00
    • Show only replies by LoadWB
Re: AmigaKit down?
« Reply #40 on: August 14, 2008, 09:20:14 AM »
Quote
motorollin wrote:

The session ID can be stored in a cookie and passed to the web server, or passed between pages by storing it in $_SESSION. Either of these would be preferable to passing the session ID in the URL.


The PHPSESSION value stored in a Cookie or POST identifies the session to a new page in order to populate the $_SESSION super-global.  So you can't store the session ID in a $_SESSION variable and expect it to work.  A cookie is preferable to POST as the POST would require a hidden variable in a form rendered in plain-text html, and therefore subject to cache snooping after the fact.

Most of the time what happens is people are so overly paranoid about cookies that they don't allow them, period.  This breaks many sites' functionality.  Good, active anti-malware software and having third-party cookies disabled in the browser will generally keep users' machines clean (generally.)  Disabling cookies altogether is a bad thing, IMHO.

I'll accept any cookie, so long as it's chocolate chip or white chocolate chip without the nuts.  :crazy:
 

Offline motorollin

  • Hero Member
  • *****
  • Join Date: Nov 2005
  • Posts: 8669
    • Show only replies by motorollin
Re: AmigaKit down?
« Reply #41 on: August 14, 2008, 10:06:18 AM »
Quote
LoadWB wrote:
The PHPSESSION value stored in a Cookie or POST identifies the session to a new page in order to populate the $_SESSION super-global.  So you can't store the session ID in a $_SESSION variable and expect it to work.

I'll have to take your word for that. I could never get sessions working properly using $_SESSION so I don't think I understood it properly. I ended up storing the user's variables in a database table and recovering them using the session ID stored in the cookie :-?
Code: [Select]
10  IT\'S THE FINAL COUNTDOWN
20  FOR C = 1 TO 2
30     DA-NA-NAAAA-NAAAA DA-NA-NA-NA-NAAAA
40     DA-NA-NAAAA-NAAAA DA-NA-NA-NA-NA-NA-NAAAAA
50  NEXT C
60  NA-NA-NAAAA
70  NA-NA NA-NA-NA-NA-NAAAA NAAA-NAAAAAAAAAAA
80  GOTO 10
 

Offline LoadWB

  • Hero Member
  • *****
  • Join Date: Jul 2006
  • Posts: 2901
  • Country: 00
    • Show only replies by LoadWB
Re: AmigaKit down?
« Reply #42 on: August 14, 2008, 11:01:10 AM »
Quote

motorollin wrote:
Quote
LoadWB wrote:
The PHPSESSION value stored in a Cookie or POST identifies the session to a new page in order to populate the $_SESSION super-global.  So you can't store the session ID in a $_SESSION variable and expect it to work.

I'll have to take your word for that. I could never get sessions working properly using $_SESSION so I don't think I understood it properly. I ended up storing the user's variables in a database table and recovering them using the session ID stored in the cookie :-?


It's actually easier than it seems.  Before you send any output to the browser, issue a start_session() then you can begin populating $_SESSION variables.  On the next page, issue a start_session() again and you can use the variables.  When you're done, issue a session_destroy() and that's it.

In interim pages you can also issue a session_regenerate_id() to avoid session fixations.  This calculates a new session id and issues it to the browser.  Put "true" as the function parameter and it will also destroy the old session store (the file, mm entry, sqlite row, etc.) while transferring the $_SESSION variables to under the new ID.
 

Offline motorollin

  • Hero Member
  • *****
  • Join Date: Nov 2005
  • Posts: 8669
    • Show only replies by motorollin
Re: AmigaKit down?
« Reply #43 on: August 14, 2008, 11:22:16 AM »
Quote
LoadWB wrote:
It's actually easier than it seems.  Before you send any output to the browser, issue a start_session() then you can begin populating $_SESSION variables.  On the next page, issue a start_session() again and you can use the variables.  When you're done, issue a session_destroy() and that's it.

So how does the web server know which session to issue to the browser on subsequent calls to start_session()? Is there a predefined variable which you set to the session ID for start_session() to pass back?
Code: [Select]
10  IT\'S THE FINAL COUNTDOWN
20  FOR C = 1 TO 2
30     DA-NA-NAAAA-NAAAA DA-NA-NA-NA-NAAAA
40     DA-NA-NAAAA-NAAAA DA-NA-NA-NA-NA-NA-NAAAAA
50  NEXT C
60  NA-NA-NAAAA
70  NA-NA NA-NA-NA-NA-NAAAA NAAA-NAAAAAAAAAAA
80  GOTO 10
 

Online amigakit

Re: AmigaKit down?
« Reply #44 on: August 14, 2008, 11:25:41 AM »
OK - we have implemented full cookie session IDs- this will mean that to shop, you have to now enable cookies for the site if you have disabled them.  Feedback is welcomed.

This should also elimiate the URI too long error that a small amount of users were getting.
www.AmigaKit.com - Amiga Reseller | Manufacturer | Developer

New Products  --   Customer Help & Support -- @amigakit