Re: [Phplib-users] Multi-domain sessions?
Brought to you by:
nhruby,
richardarcher
Menu
▾
▴
Re: [Phplib-users] Multi-domain sessions?
|
From: Richard A. <rh...@ju...> - 2002-05-13 03:27:02
|
At 7:38 PM -0500 12/5/02, Walters Justin Peter wrote: >> >will want to verify the HTTP_REFERER so that sessions can only be >> >"hi-jacked" by your sites. >> >> HTTP_REFERER is supplied by the user and cannot be trusted. >> > >Are you then forced to do some kind of server-side authentication? If you pass the session ID in the url, you are effectively doing server-side authentication, because (presumably) only the server and the client know the session ID. Assuming that is you're running an SSL connection... and that's the first thing to do when security is important! ...R. |
