OK, memo to all of you out there who might, someday, ever write a web application. And, memo to all of you who might, someday, ever consider conducting your personal Internet affairs at work.
As part of the great cleaving-in-twain of the firewall boxes we were able to re-enable web content filtering. On the CEN side of things, because we use the State's filtering system (N2H2) to do the filtering, we're just running in 'monitor' mode, logging all web site visits to disk (as we are required to do by Federal law). On the AT&T side of things which is used by municipal staff we enabled content blocking on a few clearly out-of-bounds types of sites (you guessed it, pr0n, nudity and 'adult content').
I did some poking in the logs to see what we caught today. The list is pretty short; only 72 out of thousands of web sites visited. Now, one of the great things about our spiffy new-ish Fortinet firewalls is that they give full host name resolution and URL text. This is a step up from what our old Cisco PIXs gave us (host IP and URL text). You couldn't tell from the host IP what site the user was going to if the site was hosted by one of those hosting services where they stack fifty web sites on a box using virtual servers. They all have the same IP address; the web server looks into the HTTP header to figure out which virtual web site is being requested. Well, now we get that information too.
With the other data collection tools we put in place two years ago after a kiddie porn incident in the Fire Marshall's office, we can now track a web site visit right back to the individual user. Not just to the PC, but to you. I'm sure that other organizations' IT shops are at least abreast, if not ahead of us shuffling civil servants in Hartford in this Internet arms race. So, for all you folks who think that sites like www.thongbattle.com are work fare, knock it off: we know who you are!
Ok, this part is ACHTUNG! for both desk-bound punters and web application developers. Along with the web server's host name, we get the full body of the URL. If you build some sort of "autologin" feature for your 'alternative lifestyle personals' web site that relies on a long string of gobbledygook to identify the user (and not something marginally more secure like placing an encrypted cookie on the user's PC) you are enabling devious sh*thead administrators like me to login to said 'alternative lifestyle personals' web site and utterly hose that user.
The fact that this URL text (/p/login.cgi?autologin=UmFuZG9tSVYtv5_l_