I have a problem with starting sessions on my site. Lets say someone comes from site random.com but the link they click on to get to my site has a ?sessid=gobildygook in its href. The way things are now, the session starts right up using the sessid saved in their href. I suppose this could also happen with bookmarks. This means that, assuming garbage collection has not run on the server, any user can come to my site using that link and the server won't be able to tell them apart. In trying to fix this problem, here's my logic so far. If the user hits my site and their referer doesn't match the host AND there is a sessidset in the GET vars, then forward them around with header commands to strip out the sessionid. Then start a new unique session, then go back to my page. However, the referer doesn't change when you use header commands. Now, I'm back in the same situation... i.e. the referer doesn't match the host and there is a sessid. Its a good one, but the application doesn't know that? Is there an elegant, simple way to validate sessid's as being unique in the GET vars when a user hits a site? Of course, assume we can't rely on cookies to be enabled for any reason. I really appreciate any light you guys/gals can shed on this thing... driving me crazy. I've thought of validating against the files in the temp directory... but that won't always work cause of garbage collection delays... I've thought about reading the RFC's for headers and changing the referer after assigning a new sessid, but that doesn't mean someone else out there couldn't write a script to fool my app anyway? -Ethan Nelson, Modulus, LLC -- PHP Windows Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
