Re: [PHP] Re: disable referer ? (was: Framed & Linked Content)

Richard Lynch wrote:

It CANNOT be tied to the IP address, because most users' IP
addresses are not static.

I think it is for the duration of the session. Mine certainly is.

Yours might be.
AOL users are *NOT*.
In peak periods, an AOL users' IP address with change with every HTTP
request.

Surely you are joking?? Don't they use DHCP for dishing out addresses?
I guess AOL users just have to do without https during peak hours :-)

Further, large corporate users will ALL appear as a single IP address..

Yes, that's assuming they're using NAT - which many small and large
entities will be, I agree. In such cases, if the session id _is_
somehow tied to the IP-address, any attempt to hijack the session from
outside the NAT'ed network will fail.

Regardless, I did some googling and read a bit about session
hijacking and such. I still don't see much of a serious problem.
When Firefox switches off REFERER by default, we can talk again.

Suppose only 0.1% of the Internet users have REFERER off.

You say "That's not much. 0.1%"

Now suppose there are a billion people who use the Internet.

What is 0.1% of a billion?

Do the math.

10million. But what I said was that _maybe_ 0.00X% have REFERER
switched off - and 0.001% of 1billion is 10.000 people. I can live
with that.

If you have even a few thousand visitors, you are likely getting at
least a few that have no REFERER...

Like I said, I can live with that. If people are that paranoid, they
shouldn't be on the internet at all, IMHO.


/Per Jessen, Zürich
.