Re: losing session data with cross-site scripting

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Chris Shiflett wrote:


Steve Lefevre wrote:
In this case, a user's session is stagnant for the duration of their trip to the other server. I'm guessing that users are typically only there for a brief moment, but this is something to keep in mind. Is there a way that some of your users might spend more time than you expect at the development site?
That could be, but given how it's just affecting one user on one particular machine, I'm thinking it's something on the machine, i.e. browser settings, firewall, etc. 




> Checking Referer is useless, because everyone knows what you
> expect it to be.

I'm not following you. How would anyone know what it should be?
Do you know what it should be?



Heh. :-) Sorry about the ambiguity.
What I mean is that people are only likely to know where your spell-checking thing is if they use your site. These people, by using your site, are going to know what the expected Referer is. Does that make more sense?
Ok, I get it. I'm not really worried about users hacking into the website -- they aren't that computer savvy (trust me) , and they just want to get their job done and stay *off* the website. I think the security is good enough. And like I said all that's on it is spell checking anyways. 




That could be, but it consistently affects only one user on her
home computer, but not on her work.
That's unfortunate. Your best bet might be to log everything you can - all HTTP headers for each request, all session activity, etc. If you can't reproduce the problem yourself, it's going to be very hard to debug (as I'm sure you've noticed). 



That's no joke ;) !
No problem - I thought you might have just left out something. Cross-site scripting is something else.
By the way, you might consider using session_set_save_handler() to write your own session handling functions (temporarily), so that you can add more logging. I've found this to be helpful when debugging extremely sophisticated session problems.
This is very helpful as I will be doing advanced logging in the near future. 

Can you explain what cross-site scripting is, then?

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux