Richard Lynch wrote: > On Tue, January 29, 2008 12:48 pm, Per Jessen wrote: >> Robert Cummings wrote: >> >>> Actually, now you made me think on it... the primary reason I >>> disable >>> referrer logging is because it will also pass along lovely >>> information >>> such as any session ID embedded in the URL. So if you happen to get >>> on >>> a malicious site, they could access the account from which you've >>> come. >> >> Hmm, interesting idea. I wonder if the sessionid isn't tied to the >> IP-address even when it's part of the URL? > > It CANNOT be tied to the IP address, because most users' IP addresses > are not static. I think it is for the duration of the session. Mine certainly is. > Google for "session hijacking" for more info. > >> Still, I can't help thinking that if this is a serious problem, it >> would have been dealt with long ago. > > War is a serious problem. > > So is murder. > > So is people cutting me off in traffic. :-v > > None of them have been dealt with effectively yet. Sure it has - nobody cuts me off in traffic here. :-) Regardless, I did some googling and read a bit about session hijacking and such. I still don't see much of a serious problem. When Firefox switches off REFERER by default, we can talk again. /Per Jessen, Zürich -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
