Yeah, create a safe link jumping point. Something that you'd link to
instead of the external link, and pass in the external link, without a
session_id so that the HTTP_REFERER won't have the session ID.
Don't rely on IP address for more reasons then you mentioned...
It might not hurt to implement some kind of "time out" feature too. It's
you and a dagger against an army.
Jay
On Thu, 24 May 2001, stefan weiss wrote:
> From: <[EMAIL PROTECTED]>
>
> > A better way for session ids is to put them in front of the URI:
> > http://www.nus.edu.sg/dfd3453/some/path/and/file.html
> (...)
> > These session ids are sticky as long as you only use relative paths in your
> > html. Note: You may want to put your images in a directory that's not covered by
> > this handler and use absolute paths...
>
>
> But wouldn't the session ID get sent to other (possible malicious) servers
> as well - in the HTTP_REFERER, if the user clicks on an external link?
> That might enable a script on that other server to grab your user's session.
> I guess you could add an additional check including the original user's IP
> address, but that's not really safe either. People working in the same
> company could spy on each other if they use the same HTTP proxy.
>
> Any known workarounds for this?
>
>
> cheers,
> stefan
>
>
>
