• Frist (unregistered)

    hijack/frist.aspx

  • Robert Morson (google)

    As far as I'm concerned, the only really silly think about this is the use of the word "hijack" in a URL. That's a pretty much guaranteed way to get customer service calls from users who are convinced that ISIS is in their computers.

  • Quite (unregistered) in reply to Robert Morson

    Yes, I was expecting the punchline to be exactly one of those encounters. Imagine my disappointment at the anodyne ending ...

  • (nodebb)

    Who can say whether 302 vs 307 behavior is a dark IIS secret?

    Well, only those select chosen ones who read the HTTP spec at https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.3.3 .

  • Brian (unregistered) in reply to Robert Morson

    And what's so wrong with that? Customer calls in saying his session has been "hijacked"; support tech says "well, maybe you ought to switch to our new, more secure system then".

  • Tim (unregistered)

    TBH apart from the lack of SSL, I'd say this kind of jiggery-pokery is just about the norm for most SSO implementations

  • Damien (unregistered) in reply to phihag

    You know you can stop referencing RFC2616? It's been obsolete for over 3 years now. RFC 7230 should be your starting point although one of the other 723x RFCs may hold the specific item you want.

  • Ulysses (unregistered) in reply to Damien

    WTF 7331 is the only spec I adhere to anymore. It does a body good.

  • Jeremy Hannon (google) in reply to Robert Morson

    Yes, getting calls about odd things from customers that get worried about nothing. I remember the story about the guy who was extremely upset that his URL contained the letters "NSF". They were on Lotus Notes and that means Notes Structured File. This gentleman complained because he didn't want anything to do with "Non Sufficient Funds".

    Then there was the time we named the printers for easier identification than what they had before. Since it was an agency that did work with children (subsidized child care, etc.) we named them after Muppets, at random. One lady was extremely offended that the printer in her area was called "Miss Piggy".

  • Jeremy Hannon (google) in reply to Damien

    Personally, I make sure it implements RFC 2324

  • (nodebb)

    @Jeremy The poor dear probably bore some resemblance to her.

  • Quite (unregistered)

    Then there was the gentleman who rang up the computer support helpline, furious that his computer was calling him "bad" and an "invalid".

  • MiserableOldGit (unregistered) in reply to Jeremy Hannon

    Years and years ago I had a hand-rolled internal company directory on an intranet to look after ... stuck together with JSP, HTML, spit and gaffer tape. It was a simple little thing, a bit of fun for everyone.

    I set up a series of flags that would appear next to people's names to show information that might be handy for others to know, spoken language skills, willing to car share, company chess club, up for some dogging, that sort of thing. Mostly they were things the users themselves could turn on and off.

    Somebody said how it might be handy to show someone was new to the firm as the directory now meant people were more likely to get phone calls and emails out of the blue from other departments asking detailed business questions. Simple enough, I had the joining date, so just put up a nice little welcome flag if it was fewer than 90 days ago. As part of debugging/fiddling with it I set it with a tooltip which showed "New member of staff", if you happened to mouseover where the flag would have been for others the tooltip said "Old member of staff". I forgot to remove the tooltips, or didn't realise the dangerous consequences of what I'd done, perhaps. It was a long time ago, I was young and foolish, now I'm just old and stupid.

    A few days after the novelty had worn off over the new flag, the tooltip was noticed by the most senior (in terms of age and rank) lady in the firm, who immediately checked with another very "senior" lady and decided that this was a focussed comment on either age or length of service, rather than something that applied to all staff members who weren't "New".

    Fortunately I got warning from a friend that they were heading for the IT department with pitchforks and P45s and was able to go into hiding and construct a contrite defence before the lynch mob found me.

    I later recoded the same page so it displayed a row of little dinosaurs next to everyone's avatar, one for each year of service, that was actually well received.

  • jerepp (unregistered)

    So this is what you have to do if you want something more secure that just checking the length of the password?

Leave a comment on “Re-Authenticated”

Log In or post as a guest

Replying to comment #489427:

« Return to Article