That wouldn't work if there is already a Session ID, so that's where HTTP_REFERER come into play.
Try it out by logging to any webpages with Session ID. Then copy the URL address with the Session ID already there. Paste it into an email and send it to a different computer. On the new computer, substitute a couple of alpha-numeric characters with a different one. Like replace any of the 5 characters with a different 5 characters. Finally, copy the URL address with the alter Session ID and paste it into the URL address of a browser and press enter. You'll find yourself being able to access the website without logging in. The $_SESSION data would not exist but it gave the hacker what they need to break in and hacker aren't pretty dumb, they can figure out to make it work along the way. What so ironic is that the SSL can be established anyway. "Paul Roberts" <[EMAIL PROTECTED]> wrote in message 021c01c2bcda$d007cde0$28ef86d9@laptop1">news:021c01c2bcda$d007cde0$28ef86d9@laptop1... try looking at sessions, if they don't have a login session id send them to the login page otherwise they are logged in so let them see the page. works for me Best Wishes & Happy New Year Paul Roberts [EMAIL PROTECTED] ++++++++++++++++++++++++ ----- Original Message ----- From: "Scott Fletcher" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, January 15, 2003 9:07 PM Subject: Re: [PHP] HTTP_REFERER work without a problem.... It's not a PHP bug. Many PHP programmer tried to their best to use HTTP_REFERER so they can keep track of which webpages on the current website did the user last visited. That way, they can keep out the unauthorized access to the website without first logging in to the website. Well, my company's website use both SSL and Session ID. They are good for starter but they aren't any secure if anyone can make a direct access without logging in. That's where I use HTTP_REFERER to see what last page did he or she visited, if the last page being visited is outside of my company's website then php moved the end user to the login page. It is pretty effective. The common problem with the browsers is that they aren't compactible so HTTP_REFERER don't alway work right and sometime return a blank if those three are being used. I had been observing it for a few years. Those three are 1) HierMenus, 2) location.replace('') and 3) location.href=''. When either one of these are in use, some browsers return with a blank in HTTP_REFERER. Cheers.... "Chris Shiflett" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > --- Scott Fletcher <[EMAIL PROTECTED]> wrote: > > Here's what I found so interesting.... > > > > This code, $_SERVER['HTTP_REFERER'] have worked without a > > problem when I use the latest Mozilla build. It even work > > with the HierMenus, > location.replace('http://whatever.com'), > > and location.href = http://whatever.com... > > > > This is a good news for PHP everywhere. > > > > Unfortunately, Internet Explorer still have this > > bug....... > > What bug is that? > > Is there a question here somewhere? I think I am having a > hard time interpreting it. > > Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
