Don't link to pages inside the Apple Store

February 10, 2001

I've seen a couple people link to pages on the Apple Store recently.

This is a really, really bad idea. Before I explain why, I should say that the Apple Store itself is probably safe, but I haven't completely verified it. But I want to scare you for your own good.

Here's one of the URLs:

http:/ /store.apple.com/1-800-MY-APPLE /WebObjects/AppleStore.woa/72/ wo/ZLyXr0ISFZLzDgGds3 /2.3.0.3.28.9.2.3.3.0.3.1.1.0?74,47

You might look at that URL and think that it's pointing to a particular page on the store, and that if you clicked on it 2 months from now, it would take you back to the same place (assuming the Store wasn't changed between now and then).

But you'd be wrong. Click on it, you'll get a session timeout page.

Let's examine each part of the URL after the "WebObjects" part:

AppleStore.woa:

You're surfing the Apple Store WebObjects Application. (WOA)

72:

This is the "instance number", meaning, which instance of the AppleStore application that's running on the server that your session belongs to. By default, a session is tied to the instance it was created on. Apple is running a LOT of instances of AppleStore.woa on its WO server farm. At least 72. :-)

wo:

IIRC, this signals to WO that the rest of the URL describes a "component action". If it was "wa" it would have signaled a direct action.

ZLyXr0ISFZLzDgGds3:

This is the, no, let's say your session id. By default, WebObjects stores the session id in the URL. It can also store it in a cookie, but that's not how the WO App is configured.

2.3.0.3.28.9.2.3.3.0.3.1.1.0:

These are element ids and the context id. They essentially are the path that you've followed through the app since your session started. It enables WebObjects to find the right cached component object on the server to process the most recent request.

?74,47:

The last request was a result of clicking on an image with a server-side image map. The 74,47 are the coordinates that were clicked.

Now, why is it bad to post this link on your weblog? Because the sessionid is the key to finding YOUR shopping cart on the server. The session persists on the server until it expires, which is 1 hour, by default.

I'm going to give the Apple Store the benefit of the doubt on this, it makes you sign in to continue,which, unless Apple's developers are sleeping behind the wheel (they're not, they're awesome), is stored in a cookie on the client. Therefore, if the URL is loaded on another computer, you MIGHT be able to see the other persons cart, but you wouldn't be able to check out because the sign-in cookie isn't on the other computer... and presumably the password is hard to guess.

BUT, maybe the Apple Store is poorly written... and almost certainly there's going to be a WO shopping cart out there that is, just as there have been insecure e-commerce systems written using just about every tool in existence.

By linking to a page in the Apple Store with your session id in it, before the session expires, you're giving them access to your cart, and if you're unlucky, your credit card. If you have 1-click buying turned on, you're fucked, meladdie. (if the Store was poorly designed)

So, public service message... if you see a WebObjects URL with a sessionId in it, don't put a link to it on your weblog.