On Jan 31, 2008 1:29 PM, Richard Lynch <ceo@xxxxxxxxx> wrote: > On Thu, January 31, 2008 1:19 am, Per Jessen wrote: > > Richard Lynch wrote: > > > >> On Tue, January 29, 2008 12:48 pm, Per Jessen wrote: > >>> Robert Cummings wrote: > >>> > >>>> Actually, now you made me think on it... the primary reason I > >>>> disable > >>>> referrer logging is because it will also pass along lovely > >>>> information > >>>> such as any session ID embedded in the URL. So if you happen to > >>>> get > >>>> on > >>>> a malicious site, they could access the account from which you've > >>>> come. > >>> > >>> Hmm, interesting idea. I wonder if the sessionid isn't tied to the > >>> IP-address even when it's part of the URL? > >> > >> It CANNOT be tied to the IP address, because most users' IP > >> addresses > >> are not static. > > > > I think it is for the duration of the session. Mine certainly is. > > Yours might be. > > AOL users are *NOT*. > > In peak periods, an AOL users' IP address with change with every HTTP > request. > > Further, large corporate users will ALL appear as a single IP address. > > >> Google for "session hijacking" for more info. > >> > >>> Still, I can't help thinking that if this is a serious problem, it > >>> would have been dealt with long ago. > >> > >> War is a serious problem. > >> > >> So is murder. > >> > >> So is people cutting me off in traffic. :-v > >> > >> None of them have been dealt with effectively yet. > > > > Sure it has - nobody cuts me off in traffic here. :-) > > > > Regardless, I did some googling and read a bit about session hijacking > > and such. I still don't see much of a serious problem. When Firefox > > switches off REFERER by default, we can talk again. > > Suppose only 0.1% of the Internet users have REFERER off. > > You say "That's not much. 0.1%" > > Now suppose there are a billion people who use the Internet. > > What is 0.1% of a billion? > > Do the math. > > If you have even a few thousand visitors, you are likely getting at > least a few that have no REFERER... > > -- > Some people have a "gift" link here. > Know what I want? > I want you to buy a CD from some indie artist. > http://cdbaby.com/from/lynch > Yeah, I get a buck. So? > > -- > > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > The fact it can be tampered with should be enough to ignore it, right? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
