On Thu, January 31, 2008 1:19 am, Per Jessen wrote: > Richard Lynch wrote: > >> On Tue, January 29, 2008 12:48 pm, Per Jessen wrote: >>> Robert Cummings wrote: >>> >>>> Actually, now you made me think on it... the primary reason I >>>> disable >>>> referrer logging is because it will also pass along lovely >>>> information >>>> such as any session ID embedded in the URL. So if you happen to >>>> get >>>> on >>>> a malicious site, they could access the account from which you've >>>> come. >>> >>> Hmm, interesting idea. I wonder if the sessionid isn't tied to the >>> IP-address even when it's part of the URL? >> >> It CANNOT be tied to the IP address, because most users' IP >> addresses >> are not static. > > I think it is for the duration of the session. Mine certainly is. Yours might be. AOL users are *NOT*. In peak periods, an AOL users' IP address with change with every HTTP request. Further, large corporate users will ALL appear as a single IP address. >> Google for "session hijacking" for more info. >> >>> Still, I can't help thinking that if this is a serious problem, it >>> would have been dealt with long ago. >> >> War is a serious problem. >> >> So is murder. >> >> So is people cutting me off in traffic. :-v >> >> None of them have been dealt with effectively yet. > > Sure it has - nobody cuts me off in traffic here. :-) > > Regardless, I did some googling and read a bit about session hijacking > and such. I still don't see much of a serious problem. When Firefox > switches off REFERER by default, we can talk again. Suppose only 0.1% of the Internet users have REFERER off. You say "That's not much. 0.1%" Now suppose there are a billion people who use the Internet. What is 0.1% of a billion? Do the math. If you have even a few thousand visitors, you are likely getting at least a few that have no REFERER... -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
