• The Jaybird (unregistered)

    Foist!

  • Karl (unregistered)

    Ah, I see the WTF; the 97th digit is off by one.

  • (cs)

    It's a 714-byte session identifier that's unique enough to represent all sessions across all websites across all the Ineternets across all galaxies throughout all of time ... four times over.

    Maybe they were burned badly by Y2K.

    It reminds me of a base-64 encoded picture.

  • APAQ11 (unregistered) in reply to Karl

    That's not a WTF... that's just coding for the future. The world population, it is a multiplying.

  • sar (unregistered)

    i've worked on Accenture engagments and this does not surprise me in the least...  they probably billed out some new college grads fresh from accenture "bootcamp" at 500/hr for that crap....

  • Mr Beeper (unregistered)

    Maybe it's supposed to be something similar to ASP.NET's Viewstate.

  • (cs)

    Is that really just the session ID?  It might be the session ID plus a lot more data too!

  • Anon (unregistered)

    It actually looks like, with all those strings of 0's followed by chunks of characters, that this "session id" is being used to store some data about the session. 

    Now that would be a WTF.


    (I love it when the captcha is 'enterprise')

  • nn (unregistered)

    Don't you see?

    That's your total IRS record right there in the session !

    Very nice if they want to employ you :P

  • Dave (unregistered) in reply to loneprogrammer

    In the next $100 million phase they will be implementing gzip compression for URLs.

     

  • (cs) in reply to sar

    They don't want to be outgunned when the 1-yottabyte disk comes standard on new computers.

  • (cs) in reply to Karl

    This stuff used to piss me off...Why in gods name would someone choose a "unique" identfier of such uniqueness? 32 characters of hex was enough to make me grit my teeth. These days, I don't worry about it. I've seen so much worse crap lying around, if someone's worst problem is that they think they're going to need more than 1.1579208923731619542357098500869e+77 unique identifiers, more power to 'em.

  • Killsystem (unregistered)

    Hi, you can't imagine how mouch people are unemployed in germany.
    We need this state of uniqueness g

  • Cipher (unregistered) in reply to R.Flowers

    Yeah, I don't even see the code. I just see blondes, brunettes, and redheads.

  • Anita Tinkle (unregistered) in reply to Cipher

    Heh.  I can't even get their website to come up.

  • Anita Tinkle (unregistered) in reply to Anita Tinkle

    Looking closer at the URL, I'm very curious what the stuff after the underscore  signifies (maybe it's some sort of partial salt?)

  • (cs)

    Well, 714 bytes is 8 bits, so we have 2^5712 possible session identifiers, which is a bit more then 10^1719.

    There are about 10^78 atoms in the universe, so if every atom in the universe created a session every second, that site won't run out of sessions for 10^1641 seconds, which is about 10^1635 years.

    That's the kind of Enterprise-class engineering I'd expect in a $165M site.

  • Chris (unregistered)

    I see an underscore in there towards the end. Then all the hex letters magically jump to upper case. Definatly other information stored in there.

    Also I viewed source on the website. I noticed that one of these crazy session URLs actually had 1 GET data as well. So my 'spot the WTF' is that the session is storing data as well as the URL with GETs. I think the extra money was to add the features of sending data through cookies and POST as well! Now that's enterprisey!

  • Paul (unregistered) in reply to Chris

    Some of the strings embedded:

    IDL:http/ReqProcessor:1.0
    s0202021
    berufe_cluster
    /tomcat4_poa
    VIS
    UserRealm
    VB
    Borland

  • (cs) in reply to Paul
    Anonymous:

    Some of the strings embedded:

    IDL:http/ReqProcessor:1.0
    s0202021
    berufe_cluster
    /tomcat4_poa
    VIS
    UserRealm
    VB
    Borland



    That's using the old noodle!

  • (cs)

    That's not a session id, it is a uuencoded JPG of Bill Gates!

  • (cs)

    I was half-expecting a circle to appear in that, made entirely from 1s and 0s.

    (joke for Sagan fans)

  • Ben Adams (unregistered) in reply to Cipher

    <FONT face=Arial size=2>Heh! That cracks me up.</FONT>

  • (cs) in reply to Paul
    Anonymous:

    Some of the strings embedded:

    IDL:http/ReqProcessor:1.0
    s0202021
    berufe_cluster
    /tomcat4_poa
    VIS
    UserRealm
    VB
    Borland



    Where is "berufe_cluster" embedded?

  • (cs) in reply to Suck My Lisp
    Suck My Lisp:
    Well, 714 bytes is 8 bits, so we have 2^5712 possible session identifiers, which is a bit more then 10^1719.

    There are about 10^78 atoms in the universe, so if every atom in the universe created a session every second, that site won't run out of sessions for 10^1641 seconds, which is about 10^1635 years.

    That's the kind of Enterprise-class engineering I'd expect in a $165M site.


    Well, they'd be remiss if they forgot to consider those persons needing to log on after the heat death of the universe.
  • Kiss me, I'm Polish (unregistered) in reply to Cipher

    Unemployment? That's because they outsourced this ArbeitsDoppelGang to USA.

  • Wolfsbein (unregistered) in reply to ParkinT

    What frightens me much more than that absolutely unique identifier is this tabindex="600"!

  • dave (unregistered) in reply to emurphy

    here ->  6265727566655f636c7573746572

  • dave (unregistered) in reply to emurphy
    emurphy:
    Anonymous:

    Some of the strings embedded:

    IDL:http/ReqProcessor:1.0
    s0202021
    berufe_cluster
    /tomcat4_poa
    VIS
    UserRealm
    VB
    Borland



    Where is "berufe_cluster" embedded?




    errr   here -> 6265727566655f636c7573746572
  • Aleman (unregistered)

    Now this may not be as bad as it looks, actually.

    Privacy laws in Germany are very strict, and so I am quite sure that there are some formal rules about using (or not using) cookies in the construction of this site, as well as about long-term server-side storage of a user's private (and potentially sensitive) data. This means that using the URL to encode a user's personal data may be the only viable option. (The URL looks like an encoded record of data followed by an underscore and some "real" session ID.)

    This strange design "requirement" may also be one of the reasons why this (otherwise incredibly poorly done) web site starts to lose sessions once you use more than one window or more than one tab at a time in a multi-tab capable browser. (Skipping through the job list -- which appears to be flooded with bogus job offers entered by private temp-employment agencies -- over a slow Internet connection using only the browser's "back" button is sure to drive you nuts before even getting to the first serious offer. But then, this is supposed to be your new full-time job anyway...)

  • fullstop (unregistered) in reply to Wolfsbein
    Anonymous:
    What frightens me much more than that absolutely unique identifier is this tabindex="600"!


    It is probably an attempt to make sure that the menu is the last item to receive focus when navigating by keyboard.

    I personally find it very frustrating when keyboard navigation jumps all over the place.


  • (cs) in reply to Kiss me, I'm Polish

    Hey, don't blame us, after they outsourced it to us we outsourced it to India!

  • (cs) in reply to Paul
    Anonymous:

    Some of the strings embedded:

    IDL:http/ReqProcessor:1.0
    s0202021
    berufe_cluster
    /tomcat4_poa
    VIS
    UserRealm
    VB
    Borland

    I'll take a guess that they are attempting to prevent session hijacking.

  • (cs) in reply to Paul
    Anonymous:

    Some of the strings embedded:

    IDL:http/ReqProcessor:1.0
    s0202021
    berufe_cluster
    /tomcat4_poa
    VIS
    UserRealm
    VB
    Borland



    More (but much less significant):
    F
    M
    PMC
    VB!
    W3no7?k,

    It definitely looks like it's more than a session ID. Data is definitely stored in there...

    I went to the site, and the only thing that changes in that session id is everything after the underscore. For me, the text there converted to "oi*JW8G".

  • (cs)

    Sounds like more psychological warfare on the angst-ridden unemployed who would commit acts of defiance against their corporo-political gods. Obviously nobody would challenge that sort of security because there is no way they could. Right on!

  • Kyle Bennett (unregistered)

    Wait, isn't a "Federal Labor Office's" job to find ways to give unemployed people money for doing basically nothing under the guise of being gainfully employed so everyone can pretend it's not a handout?  If so, I'd say this was the most successful software project there has ever been.

  • verisimilidude (unregistered) in reply to Killsystem

    With all the illegal immigrants coming to Germany and trying to get benefits they need a larger number than the number of sub-atomic particles in the solar system.

    I suspect the poster who thought that the URL encodes the state of the system in some way is correct.  I don't think I'll try hacking the system however when the system is owned by a major government. 

  • (cs) in reply to Paul
    Anonymous:

    Some of the strings embedded:

    ...
    /tomcat4_poa

    ...

    VB
    Borland


    Just incase they forget what compiler they were using.
  • (cs) in reply to Paul
    Anonymous:
    Some of the strings embedded:

    IDL:http/ReqProcessor:1.0
    s0202021
    berufe_cluster
    /tomcat4_poa
    VIS
    UserRealm
    VB
    Borland

    Hah. Looks like they're using Borland Enterprise Server and screwed up their pointers somewhere. What you're seeing there is most likely some contents of the stack at some point, with the crap after the underscore being the real session id. There's probably a security hole there somehow as well.


  • (cs) in reply to sar
    Anonymous:
    i've worked on Accenture engagments and this does not surprise me in the least...  they probably billed out some new college grads fresh from accenture "bootcamp" at 500/hr for that crap....


    ..and what's worse is that they probably billed that and built the app at their Bangalore location. My experience with Accenture was that they were an army of partners and partners-in-training, with no one left to do the actual work. "Let's schedule a meeting to discuss the next meeting regarding meetings"

    Oy.
  • spook (unregistered) in reply to Paul

    /tomcat4_poa  ....

    "poa" always smells like CORBA.



  • (cs)

    65M? What the hell? I recently talked with a few of the biggest companies that will host/install their prebuilt employment portals for you and most charge about $30k. I can understand charging more for a custom application, but seriously, for that much money you could practically write the app, os, db and webserver to run it on!

  • (cs) in reply to sjfsjf

    ...
    /tomcat4_poa

    ...

    VB
    Borland


    ----


    Are they mixing visual basic, and tomcat/jsp??? WTF???

  • fgilcher (unregistered) in reply to RyanD
    RyanD:
    65M? What the hell? I recently talked with a few of the biggest companies that will host/install their prebuilt employment portals for you and most charge about $30k. I can understand charging more for a custom application, but seriously, for that much money you could practically write the app, os, db and webserver to run it on!


    well, 65M was the first estimate. IIRC, the project was stopped short before reaching the 200M mark. Go figure...
  • Beau Gunderson (unregistered) in reply to RyanD

    IDL:http/ReqProcessor:1.0$ s0202021ëFMPMCIDL:http/ReqProcessor:1.0  berufe_cluster
    /tomcat4_poaVISVIS !p"@gg UserRealmVB!BorlandgÊ“0öæósö¾Á˜

    ...wtf.

    http://nickciske.com/tools/hex.php

  • John (unregistered) in reply to pinguis

    I see signs of VB, tomcat/jsp, CORBA, and some random Borland language in there. I'm guessing that that's the reason it's so expensive.

  • Howard M. Lewis Ship (unregistered) in reply to Karl

    I suspect that session id is not just the id of the session, but has encoded into it some clustering/routing/failover information. I don't think WebLogic does this, but I believe WebSphere or maybe one of the older app servers does.  Unless Indenture is in the habit of rolling their own application server, this is probably due to their choice of app server rather than a specific design or coding issue.

  • Jamie Riden (unregistered)

    Bad daily WTF! Bad!

    Wrap up an Initialisation Vector, AES encrypted data plus a HMAC in a hex encoding and you will end up with something like this.  I'm not saying that's what they've done, but there are valid reasons for using a 200-odd digit session ID.


  • Howard M. Lewis Ship (unregistered) in reply to Howard M. Lewis Ship

    Tapestry tends to encode a lot of stuff into URLs (or hidden form fields), but is nice enough to compress/encrypt/MIME encode it.  That looks like a bunch of hex digits including a lot of nulls.  Not pretty.

  • Anita Tinkle (unregistered) in reply to fgilcher

    Remember what Accenture was called before the big "cool-one-word" (COW) name changes started happening during the dot-bomb era?

    You guessed it:

    <font size="6">ANDERSEN CONSULTING.

    </font>And yes, Andersen consultants were (and still are) some of the most expensive college kids you can bring on.  It's still very much a fraternitiy atmosphere there.

Leave a comment on “The 160 Million Euro Session”

Log In or post as a guest

Replying to comment #:

Log Out

« Return to Article