Re: Re: disable referer ? (was: Framed & Linked Content)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 2008-01-29 at 19:48 +0100, Per Jessen wrote:
> Robert Cummings wrote:
> 
> > Actually, now you made me think on it... the primary reason I disable
> > referrer logging is because it will also pass along lovely information
> > such as any session ID embedded in the URL. So if you happen to get on
> > a malicious site, they could access the account from which you've
> > come.
> 
> Hmm, interesting idea.  I wonder if the sessionid isn't tied to the
> IP-address even when it's part of the URL?

It sure isn't. AOL is known to on the fly change your connection domain
so tying an IP address to a session ID won't work very well for people
connecting via AOL. Similar problems exist for multiple users behind
NAT. Other companies do similar. You can test for yourself too... the
default session ID created via PHP sessions is not tied to anything.

> Still, I can't help thinking that if this is a serious problem, it would
> have been dealt with long ago.

http://www.google.com/search?hl=en&q=referer+session+hijacking

Cheers,
Rob.
-- 
.------------------------------------------------------------.
| InterJinn Application Framework - http://www.interjinn.com |
:------------------------------------------------------------:
| An application and templating framework for PHP. Boasting  |
| a powerful, scalable system for accessing system services  |
| such as forms, properties, sessions, and caches. InterJinn |
| also provides an extremely flexible architecture for       |
| creating re-usable components quickly and easily.          |
`------------------------------------------------------------'

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux