Do not let this happen to you! Below is a copy of an email I sent to Renderosity. Tonight in an exchange with another person via PM, I was asked about a texture I used in an image I did. In response, I went to my purchase history to find the item in question. I clicked on the link for the merchant and highlighted and copied the URL. I sent that address to the other person so they could find it to purchase it. She added the item to her wishlist but a box popped up saying she had already purchased it. She went to her purchase history and didn't recognize it. Somehow she had access to my purchase history and all my personal information including my address. This is a very dangerous problem. I don't know if she has my credit card info or not. Renderosity needs to find a solution to this problem. I could be in big trouble. I don't know if this is a common occurance or not, but people need to be warned.This could be disastrous not to mention a revenue loser for Rosity.

your link may have contained sessionID. next time, delete it.

Yes please always take the sessionID out of any URL you send to someone else. The session id data is only left by members that do not have their cookies enabled. Since the session ids expire in a short period of time, this generally is not a problem. One way to correct this is for members to accept cookies. Also Renderosity does not store credit card information. Thank you, Stacey Community Manager

How does one know what is session ID and what is not? It is a serious flaw in the system. I shudder to think of all the times I've done the same thing before. It could be a huge and costly problem when one considers the amopunt of identity theft going on now.

I have not disabled my cookies. I am automatically signed on everytime I visit Rosity. That wasn't the cause in this case.

Sorry but the sessionid is the cause. You know that because it will be in the URL itself. If you accept RR cookies this problem could be avoided and also even if you don't they expire after 15 minutes. Stacey

A few parts of 'rosity still use SessionIDs in the URL. Which is bad practice - as we can see here.

You can recognise the presence of a sessionID by watching the URL: if it contains something like "&SessionID=xxxxx" it's there.

I haven't seen Bondware 3.0 in action yet, but if it is not totally crap, it will NOT use SessionIDs in the URLs. Those sessionIDs should be contained in encrypted hidden form fields, this is standard practice for over 5 years now.

Message edited on: 01/14/2006 20:51

" Sorry but the sessionid is the cause. You know that because it will be in the URL itself. If you accept RR cookies this problem could be avoided and also even if you don't they expire after 15 minutes. " I have to correct you here. this happens if you have Cookies enabled or not. it is NOT a cookie problem. as stated this is a Bondware problem.

I agree, I've always had cookies enabled, but I've seen the session key thingy.

By the way, hashed hidden form fields are a standard way to make a cookieless Web application. There's only one thing that requires a (persistent) cookie on the client - saving logon information.

Stacey, Cookies or not, session ID will show up in a copied URL if it is being sent within that first 15 minutes of being active. Most of us old-timers (especially anybody who watched ernyoka and ziggy playing as each other) will catch and delete that part of a link, but newer folks might not recognize what that ID is and does. It seldom trips someone up, and most of us are honest, but why take chances? Hopefully, the new software will have another less obvious way of identifying us. I'd be embarrassed by what is in my purchase history... no underthings or torture gear, but enough castles to open up an architectural firm. I need to go build something. ;) Carolly

I regularly used to see my sessionID pop into the URL when using Internet Explorer - I don't think I've ever seen it with Firefox, whether that's a result of changes at Renderosity or in the browser I couldn't guess. The problem isn't exclusive to Bondware - I get the sid=##### added to my URL in Firefox anytime I move a thread at the DAZ PHP forums, and I think we've had at least one case (a long time ago) of a store link being posted with some kind of session data - you need to check your links whereever you are.

sessionID may be browser-dependent, as I don't see it in netscape.

In the forums the sessionid comes up as ForumID don't it?

yup.. and it's there 90% of the time... cookies have nothing to do with it... to make a link safe you need to remove ForumID=11111 eg: www.rendosity.com/messages.ez?-Delete here where it says ForumID-&ShowMessage etc this is an old problem thats been complained about repeatedly.

The ForumID is safe (look at the links on the Forum page).

The SessionId will show up if you've had a window/tab open long enough for the previous session to expire, and then click on a link.
It appears in the address bar when the new session is started in this case.
It isn't coded into the links in the pages as far as I've seen.

Form.sess_id=&Form.sess_key= <- thats the stuff you remove from your URL. I've traded marketplace links with 2 of my very close friends many times, and it happens every time, usually the only time i notice it is when i go to my wishlist and i dont recognize ANY of it. Lucky us the new marketplace gets rid of that security hazard.