Re: [Phplib-users] Multi-domain sessions?
Brought to you by:
nhruby,
richardarcher
Menu
▾
▴
Re: [Phplib-users] Multi-domain sessions?
|
From: Walters J. P. <jw...@sa...> - 2002-05-13 00:38:16
|
> >will want to verify the HTTP_REFERER so that sessions can only be
> >"hi-jacked" by your sites.
>
> HTTP_REFERER is supplied by the user and cannot be trusted.
>
Are you then forced to do some kind of server-side authentication? How
vulnerable are your user accounts w/ this sort of hack in place? I'm just
wondering if the age of session id's renders further security pointless,
considering it would be very difficult to get a hold of a session id.
Possibly the biggest concern is for any pages on your site that already
end up putting the session id in the URL which would then show up on
referrer logs... which happens w/ all non-cookies browsers.
Justin
_______________________________________________________
2 common misconceptions
0) Pain is bad.
1) Omniscience necessitates predestination.
|
