On Tue, 2008-01-29 at 19:48 +0100, Per Jessen wrote: > Robert Cummings wrote: > > > Actually, now you made me think on it... the primary reason I disable > > referrer logging is because it will also pass along lovely information > > such as any session ID embedded in the URL. So if you happen to get on > > a malicious site, they could access the account from which you've > > come. > > Hmm, interesting idea. I wonder if the sessionid isn't tied to the > IP-address even when it's part of the URL? It sure isn't. AOL is known to on the fly change your connection domain so tying an IP address to a session ID won't work very well for people connecting via AOL. Similar problems exist for multiple users behind NAT. Other companies do similar. You can test for yourself too... the default session ID created via PHP sessions is not tied to anything. > Still, I can't help thinking that if this is a serious problem, it would > have been dealt with long ago. http://www.google.com/search?hl=en&q=referer+session+hijacking Cheers, Rob. -- .------------------------------------------------------------. | InterJinn Application Framework - http://www.interjinn.com | :------------------------------------------------------------: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `------------------------------------------------------------' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php