[Post website problems here] New CO website....clean but not perfect....
#286
Join Date: May 2003
Location: Somewhere in picturesque New England
Programs: WN Rapid Rewards, DL SkyMiles, UA MileagePlus, HiltonHonors
Posts: 765
Originally Posted by sbm12
The reservations are REAL!!!
#287
Join Date: Jan 2004
Location: NJ, USA
Posts: 2,837
Decided not to purchase ticket for a flight - will wait till end of week. Using firefox at home and spacing on buttons, calendars, pull downs is too small and cramped. That seems to be really minor compared to some problems, specially getting access to others records which is why i'm not buying today
#288
Join Date: Feb 2005
Location: PEK
Programs: Alas, the Gravy Train Hath Ended...just happy to be an OW Sapphire and a ST Ivory...whatever
Posts: 4,389
I cannot seem to make the reward buttons work: when searching via the calendar matrix, one cannot use the arrow buttons to search a month ahead/previous without getting an error message....
#289
Join Date: Jan 2006
Location: ABE/PHL
Programs: CO Pt Infinite (1k life)/ 1MM - NW/DL Silver life/1 MM
Posts: 1,308
Originally Posted by david4455
Why do I get a "security alert" screen when I use the "flight status" function? Never got that before.....
I wonder if someone will fall into a backdoor into CAPSII, or whatever it is these days?
#290
Join Date: Feb 2005
Location: PEK
Programs: Alas, the Gravy Train Hath Ended...just happy to be an OW Sapphire and a ST Ivory...whatever
Posts: 4,389
Originally Posted by hoch66
Actually, I am the real Sheldon
I thought you were the real Kaiser Sosa.....
#291
Join Date: May 2006
Location: TPA
Posts: 334
Originally Posted by sjefenole
After I mistakenly invited mbmiles88 and entropy and probably even more people into my account I am scared of continental.com and I can't go to sleep. It is now 4:28 AM CET.
But I tried that on one of them just for the heck of it and it was about to actually let me renew someones PC membership! Obviously I didnt actually do it but still that's scary.
#292
Join Date: Mar 2006
Posts: 163
Originally Posted by theblakefish
I thought you were the real Kaiser Sosa.....
#293
Join Date: Jul 2004
Programs: CO Gold; SPG Gold***; AvisFirst;
Posts: 3,970
Ok, maybe this'll help... the SID in the URL is totally ignored. You can type/retype anything & it doesn't matter. If you delete it entirely, you have to log in again. If you change it to any string of characters the same length, everything behaves as if you didn't change it (I'd say it behaves correctly... but I don't know what that is today).
To make it just a bit worse... you can enter a short or otherwise invalid SID - you'll be asked to login, and then the bogus SID becomes your SID. Doing this I was able to get a "valid" one digit SID. This is just so wrong.
To make even worse... you can save your URL including a SID (bogus or not)... then logout. If you subsequently paste a previously valid SID from the now logged-out session and go there, you're logged in again - no password!
CO Insider: I'd be happy to walk someone through recreating this if need be.
Cigar: I appreciate what you've done for us and CO... but I'm in IT and this is inexcusable.
updated:
Played a bit more... looks like session state is indeed being tracked by the sid. Problem is that logon state is also tracked by the sid. When you disconnect without logging out, the logged in state remains with the sid and ANYONE can access the account if they know the URL. This is bad, as the URL is in the clear and in browser history. If you log out of the sid, then that specific sid no longer gets you back in. If you don't and the sid is re-issued (or retyped, or posted to a website and clicked)... then someone else has unfettered access to your account.
I strongly recommend that everyone start explicity logging out when done until this is fixed. If you have browser history you might want to go back and log out of every different session you can find. And, yes, I logged out of SID=1.
CO Insider: please tell your IT people that letting the browser manage security is not acceptable. The logged in or out state MUST be maintained on the server. There are far too many ways to hack in if you trust the browser. This is, no offense, a pretty basic error. Were this to happen where I work, those lucky few who didn't get canned would be testifying before congress. I would suggest that there are quite a few US and EU rules that have been violated here and some serious damage control is in order.
To make it just a bit worse... you can enter a short or otherwise invalid SID - you'll be asked to login, and then the bogus SID becomes your SID. Doing this I was able to get a "valid" one digit SID. This is just so wrong.
To make even worse... you can save your URL including a SID (bogus or not)... then logout. If you subsequently paste a previously valid SID from the now logged-out session and go there, you're logged in again - no password!
CO Insider: I'd be happy to walk someone through recreating this if need be.
Cigar: I appreciate what you've done for us and CO... but I'm in IT and this is inexcusable.
updated:
Played a bit more... looks like session state is indeed being tracked by the sid. Problem is that logon state is also tracked by the sid. When you disconnect without logging out, the logged in state remains with the sid and ANYONE can access the account if they know the URL. This is bad, as the URL is in the clear and in browser history. If you log out of the sid, then that specific sid no longer gets you back in. If you don't and the sid is re-issued (or retyped, or posted to a website and clicked)... then someone else has unfettered access to your account.
I strongly recommend that everyone start explicity logging out when done until this is fixed. If you have browser history you might want to go back and log out of every different session you can find. And, yes, I logged out of SID=1.
CO Insider: please tell your IT people that letting the browser manage security is not acceptable. The logged in or out state MUST be maintained on the server. There are far too many ways to hack in if you trust the browser. This is, no offense, a pretty basic error. Were this to happen where I work, those lucky few who didn't get canned would be testifying before congress. I would suggest that there are quite a few US and EU rules that have been violated here and some serious damage control is in order.
Last edited by mbreuer; Jul 31, 2006 at 10:11 pm Reason: More info
#294
Join Date: May 2006
Location: TPA
Posts: 334
Originally Posted by mbreuer
Ok, maybe this'll help... the SID in the URL is totally ignored. You can type/retype anything & it doesn't matter. If you delete it entirely, you have to log in again. If you change it to any string of characters the same length, everything behaves as if you didn't change it (I'd say it behaves correctly... but I don't know what that is today).
To make it just a bit worse... you can enter a short or otherwise invalid SID - you'll be asked to login, and then the bogus SID becomes your SID. Doing this I was able to get a "valid" one digit SID. This is just so wrong.
To make even worse... you can save your URL including a SID (bogus or not)... then logout. If you subsequently paste a previously valid SID from the now logged-out session and go there, you're logged in again - no password!
CO Insider: I'd be happy to walk someone through recreating this if need be.
Cigar: I appreciate what you've done for us and CO... but I'm in IT and this is inexcusable.
To make it just a bit worse... you can enter a short or otherwise invalid SID - you'll be asked to login, and then the bogus SID becomes your SID. Doing this I was able to get a "valid" one digit SID. This is just so wrong.
To make even worse... you can save your URL including a SID (bogus or not)... then logout. If you subsequently paste a previously valid SID from the now logged-out session and go there, you're logged in again - no password!
CO Insider: I'd be happy to walk someone through recreating this if need be.
Cigar: I appreciate what you've done for us and CO... but I'm in IT and this is inexcusable.
#295
FlyerTalk Evangelist
Join Date: Feb 2002
Location: San Francisco/Tel Aviv/YYZ
Programs: CO 1K-MM
Posts: 10,762
Sorry Scott, but this just is REALLY REALLY PATHETIC.
#296
Join Date: Apr 2006
Location: ORD
Programs: AA EXP; DL Gold
Posts: 25
Okay, so here are the major issues I've noticed with my attempt to book on co.bomb:
1) Nags the living s**t out of me every time I try to do anything besides stare at the screen with my mouth agape.
2) When I click "View Seats" on a flight, or if I hit enter no matter where I am, it may or may not select the flight as a chosen leg.
3) When I click "View/Edit Seats" option when managing reservations, it just lets me view the g.d. thing! Worse, when I could choose seats, it allowed me to choose it by turning the seat yellow, and then clicking ont he other leg, it "forgot" my choice and didn't choose a seat at all!
4) It double reserves flights. So now I have three flights to JFK, when I only chose to reserve it once.
5) You can only manage the first flight on the main page because your other flights are not listed. Clearly they are ignoring those of us who travel more than once to see Aunts Patty's and Selma's trip to Shelbyville...
The good things that probably won't last long:
1) I could reserve flights now and not have to buy them while I await approval from the boss-woman. ^
2) I can choose exit row and bulkhead seating ^ (when the damned website lets me choose seats! )
1) Nags the living s**t out of me every time I try to do anything besides stare at the screen with my mouth agape.
2) When I click "View Seats" on a flight, or if I hit enter no matter where I am, it may or may not select the flight as a chosen leg.
3) When I click "View/Edit Seats" option when managing reservations, it just lets me view the g.d. thing! Worse, when I could choose seats, it allowed me to choose it by turning the seat yellow, and then clicking ont he other leg, it "forgot" my choice and didn't choose a seat at all!
4) It double reserves flights. So now I have three flights to JFK, when I only chose to reserve it once.
5) You can only manage the first flight on the main page because your other flights are not listed. Clearly they are ignoring those of us who travel more than once to see Aunts Patty's and Selma's trip to Shelbyville...
The good things that probably won't last long:
1) I could reserve flights now and not have to buy them while I await approval from the boss-woman. ^
2) I can choose exit row and bulkhead seating ^ (when the damned website lets me choose seats! )
#297
Join Date: Jan 2006
Location: KAUS
Programs: UA MM
Posts: 1,118
I would like to say that, in addition to adding the record locator (PNR) in the URL problem to this thread, a few months ago I started a thread in which I stated that the EWR intranet was completely compromised, something that I discovered through a google search. That is, the whole darn thing was open on the internet.
The reaction on Flyertalk was to say that was impossible and to f*rt in my general direction, and a number of people claimed I was lying. That included a CO employee (not CO Insider). I was not lying. It was true. I resisted the temptation to prove what I was saying was right, by posting some details - in that case, mainly security sensitive details.
So, anyway, here I am again. I hope people believe me now. And I still have not heard a d*mn word from Continental about reporting to them the fact that their intranet was hanging out on the internet a few month ago.
Anyway, having d*mn well seen and promptly reported (as opposed to exploited) my share of CO IT fiascos, I sure wish that somebody at CO would acknowledge that fact.
The reaction on Flyertalk was to say that was impossible and to f*rt in my general direction, and a number of people claimed I was lying. That included a CO employee (not CO Insider). I was not lying. It was true. I resisted the temptation to prove what I was saying was right, by posting some details - in that case, mainly security sensitive details.
So, anyway, here I am again. I hope people believe me now. And I still have not heard a d*mn word from Continental about reporting to them the fact that their intranet was hanging out on the internet a few month ago.
Anyway, having d*mn well seen and promptly reported (as opposed to exploited) my share of CO IT fiascos, I sure wish that somebody at CO would acknowledge that fact.
#298
Join Date: Feb 2004
Location: CLE
Programs: UA GS+LT UC, AA EXP+LT PLT, Fairmont LT PLT, Marriott PLT, Hilton DIA, Hyatt Glob, Avis CHM
Posts: 4,671
Some of my current and booked itineraries are in the cancelled section, and for the life of me i cant figure out how to get it back to the current section!
I tried finding it again by conf# and saving it to my account, but CO.Bomb did NOT appreciate that...
I tried finding it again by conf# and saving it to my account, but CO.Bomb did NOT appreciate that...
#299
Join Date: Jan 2005
Location: Seattle, WA
Programs: CO Platinum, AA Gold, UA Premier, Hilton Gold, Hyatt Silver
Posts: 266
My first experience with the new website was weird. I tried to book a flight to Frankfurt in January, but it kept coming back that no seats were available. So I booked a flight into CGN and all of a sudden FRA came up with a seat at a good price (Biz1st).
Then it tried to charge me twice as much for the seat as the price displayed and there was no mention that the price given was one-way.
Strange...just plain strange...
Then it tried to charge me twice as much for the seat as the price displayed and there was no mention that the price given was one-way.
Strange...just plain strange...
#300
FlyerTalk Evangelist
Join Date: Feb 2002
Location: San Francisco/Tel Aviv/YYZ
Programs: CO 1K-MM
Posts: 10,762
at least they aren't using models on their website like LY is.... www.elal.com, if you look at the plane, the tail stabilizers are on upside down.
I've come to expect that crap from LY but from CO its surprising.
I've come to expect that crap from LY but from CO its surprising.