Re: [PHP] Re: disable referer ? (was: Framed & Linked Content)

Richard Lynch wrote:

On Tue, January 29, 2008 12:48 pm, Per Jessen wrote:
Robert Cummings wrote:

Actually, now you made me think on it... the primary reason I
disable
referrer logging is because it will also pass along lovely
information
such as any session ID embedded in the URL. So if you happen to get
on
a malicious site, they could access the account from which you've
come.

Hmm, interesting idea. I wonder if the sessionid isn't tied to the
IP-address even when it's part of the URL?

It CANNOT be tied to the IP address, because most users' IP addresses
are not static.

I think it is for the duration of the session. Mine certainly is.

Google for "session hijacking" for more info.

Still, I can't help thinking that if this is a serious problem, it
would have been dealt with long ago.

War is a serious problem.

So is murder.

So is people cutting me off in traffic. :-v

None of them have been dealt with effectively yet.

Sure it has - nobody cuts me off in traffic here. :-)

Regardless, I did some googling and read a bit about session hijacking
and such. I still don't see much of a serious problem. When Firefox
switches off REFERER by default, we can talk again.


/Per Jessen, Zürich
.