- Feature Articles
- CodeSOD
- Error'd
- Forums
-
Other Articles
- Random Article
- Other Series
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Foist!
Admin
Ah, I see the WTF; the 97th digit is off by one.
Admin
Maybe they were burned badly by Y2K.
It reminds me of a base-64 encoded picture.
Admin
That's not a WTF... that's just coding for the future. The world population, it is a multiplying.
Admin
i've worked on Accenture engagments and this does not surprise me in the least... they probably billed out some new college grads fresh from accenture "bootcamp" at 500/hr for that crap....
Admin
Maybe it's supposed to be something similar to ASP.NET's Viewstate.
Admin
Is that really just the session ID? It might be the session ID plus a lot more data too!
Admin
It actually looks like, with all those strings of 0's followed by chunks of characters, that this "session id" is being used to store some data about the session.
Now that would be a WTF.
(I love it when the captcha is 'enterprise')
Admin
Don't you see?
That's your total IRS record right there in the session !
Very nice if they want to employ you :P
Admin
In the next $100 million phase they will be implementing gzip compression for URLs.
Admin
They don't want to be outgunned when the 1-yottabyte disk comes standard on new computers.
Admin
This stuff used to piss me off...Why in gods name would someone choose a "unique" identfier of such uniqueness? 32 characters of hex was enough to make me grit my teeth. These days, I don't worry about it. I've seen so much worse crap lying around, if someone's worst problem is that they think they're going to need more than 1.1579208923731619542357098500869e+77 unique identifiers, more power to 'em.
Admin
Hi, you can't imagine how mouch people are unemployed in germany.
We need this state of uniqueness g
Admin
Yeah, I don't even see the code. I just see blondes, brunettes, and redheads.
Admin
Heh. I can't even get their website to come up.
Admin
Looking closer at the URL, I'm very curious what the stuff after the underscore signifies (maybe it's some sort of partial salt?)
Admin
Well, 714 bytes is 8 bits, so we have 2^5712 possible session identifiers, which is a bit more then 10^1719.
There are about 10^78 atoms in the universe, so if every atom in the universe created a session every second, that site won't run out of sessions for 10^1641 seconds, which is about 10^1635 years.
That's the kind of Enterprise-class engineering I'd expect in a $165M site.
Admin
I see an underscore in there towards the end. Then all the hex letters magically jump to upper case. Definatly other information stored in there.
Also I viewed source on the website. I noticed that one of these crazy session URLs actually had 1 GET data as well. So my 'spot the WTF' is that the session is storing data as well as the URL with GETs. I think the extra money was to add the features of sending data through cookies and POST as well! Now that's enterprisey!
Admin
Some of the strings embedded:
IDL:http/ReqProcessor:1.0
s0202021
berufe_cluster
/tomcat4_poa
VIS
UserRealm
VB
Borland
Admin
That's using the old noodle!
Admin
That's not a session id, it is a uuencoded JPG of Bill Gates!
Admin
I was half-expecting a circle to appear in that, made entirely from 1s and 0s.
(joke for Sagan fans)
Admin
<FONT face=Arial size=2>Heh! That cracks me up.</FONT>
Admin
Where is "berufe_cluster" embedded?
Admin
Well, they'd be remiss if they forgot to consider those persons needing to log on after the heat death of the universe.
Admin
Unemployment? That's because they outsourced this ArbeitsDoppelGang to USA.
Admin
What frightens me much more than that absolutely unique identifier is this tabindex="600"!
Admin
here -> 6265727566655f636c7573746572
Admin
errr here -> 6265727566655f636c7573746572
Admin
Now this may not be as bad as it looks, actually.
Privacy laws in Germany are very strict, and so I am quite sure that there are some formal rules about using (or not using) cookies in the construction of this site, as well as about long-term server-side storage of a user's private (and potentially sensitive) data. This means that using the URL to encode a user's personal data may be the only viable option. (The URL looks like an encoded record of data followed by an underscore and some "real" session ID.)
This strange design "requirement" may also be one of the reasons why this (otherwise incredibly poorly done) web site starts to lose sessions once you use more than one window or more than one tab at a time in a multi-tab capable browser. (Skipping through the job list -- which appears to be flooded with bogus job offers entered by private temp-employment agencies -- over a slow Internet connection using only the browser's "back" button is sure to drive you nuts before even getting to the first serious offer. But then, this is supposed to be your new full-time job anyway...)
Admin
It is probably an attempt to make sure that the menu is the last item to receive focus when navigating by keyboard.
I personally find it very frustrating when keyboard navigation jumps all over the place.
Admin
Hey, don't blame us, after they outsourced it to us we outsourced it to India!
Admin
I'll take a guess that they are attempting to prevent session hijacking.
Admin
More (but much less significant):
F
M
PMC
VB!
W3no7?k,
It definitely looks like it's more than a session ID. Data is definitely stored in there...
I went to the site, and the only thing that changes in that session id is everything after the underscore. For me, the text there converted to "oi*JW8G".
Admin
Sounds like more psychological warfare on the angst-ridden unemployed who would commit acts of defiance against their corporo-political gods. Obviously nobody would challenge that sort of security because there is no way they could. Right on!
Admin
Wait, isn't a "Federal Labor Office's" job to find ways to give unemployed people money for doing basically nothing under the guise of being gainfully employed so everyone can pretend it's not a handout? If so, I'd say this was the most successful software project there has ever been.
Admin
With all the illegal immigrants coming to Germany and trying to get benefits they need a larger number than the number of sub-atomic particles in the solar system.
I suspect the poster who thought that the URL encodes the state of the system in some way is correct. I don't think I'll try hacking the system however when the system is owned by a major government.
Admin
Just incase they forget what compiler they were using.
Admin
Hah. Looks like they're using Borland Enterprise Server and screwed up their pointers somewhere. What you're seeing there is most likely some contents of the stack at some point, with the crap after the underscore being the real session id. There's probably a security hole there somehow as well.
Admin
..and what's worse is that they probably billed that and built the app at their Bangalore location. My experience with Accenture was that they were an army of partners and partners-in-training, with no one left to do the actual work. "Let's schedule a meeting to discuss the next meeting regarding meetings"
Oy.
Admin
/tomcat4_poa ....
"poa" always smells like CORBA.
Admin
65M? What the hell? I recently talked with a few of the biggest companies that will host/install their prebuilt employment portals for you and most charge about $30k. I can understand charging more for a custom application, but seriously, for that much money you could practically write the app, os, db and webserver to run it on!
Admin
...
/tomcat4_poa
...
VB
Borland
----
Are they mixing visual basic, and tomcat/jsp??? WTF???
Admin
well, 65M was the first estimate. IIRC, the project was stopped short before reaching the 200M mark. Go figure...
Admin
IDL:http/ReqProcessor:1.0$ s0202021ëFMPMCIDL:http/ReqProcessor:1.0 berufe_cluster
/tomcat4_poaVISVIS !p"@gg UserRealmVB!BorlandgÊ“0öæósö¾Á˜
...wtf.
http://nickciske.com/tools/hex.php
Admin
I see signs of VB, tomcat/jsp, CORBA, and some random Borland language in there. I'm guessing that that's the reason it's so expensive.
Admin
I suspect that session id is not just the id of the session, but has encoded into it some clustering/routing/failover information. I don't think WebLogic does this, but I believe WebSphere or maybe one of the older app servers does. Unless Indenture is in the habit of rolling their own application server, this is probably due to their choice of app server rather than a specific design or coding issue.
Admin
Bad daily WTF! Bad!
Wrap up an Initialisation Vector, AES encrypted data plus a HMAC in a hex encoding and you will end up with something like this. I'm not saying that's what they've done, but there are valid reasons for using a 200-odd digit session ID.
Admin
Tapestry tends to encode a lot of stuff into URLs (or hidden form fields), but is nice enough to compress/encrypt/MIME encode it. That looks like a bunch of hex digits including a lot of nulls. Not pretty.
Admin
Remember what Accenture was called before the big "cool-one-word" (COW) name changes started happening during the dot-bomb era?
You guessed it:
<font size="6">ANDERSEN CONSULTING.
</font>And yes, Andersen consultants were (and still are) some of the most expensive college kids you can bring on. It's still very much a fraternitiy atmosphere there.