Or worse, not substituting the characters in the Session ID. Just use the same Session ID. What if there is leftover session file in the /tmp directory of the Unix machine and we're dealing with hundred of users each day. Some of those session files aren't deleted because the user just closed the browser without logging out. It is unfortunate that there is no better solution to this.
"Scott Fletcher" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > That wouldn't work if there is already a Session ID, so that's where > HTTP_REFERER come into play. > > Try it out by logging to any webpages with Session ID. Then copy the URL > address with the Session ID already there. Paste it into an email and send > it to a different computer. On the new computer, substitute a couple of > alpha-numeric characters with a different one. Like replace any of the 5 > characters with a different 5 characters. Finally, copy the URL address > with the alter Session ID and paste it into the URL address of a browser and > press enter. You'll find yourself being able to access the website without > logging in. The $_SESSION data would not exist but it gave the hacker what > they need to break in and hacker aren't pretty dumb, they can figure out to > make it work along the way. > > What so ironic is that the SSL can be established anyway. > > > "Paul Roberts" <[EMAIL PROTECTED]> wrote in message > 021c01c2bcda$d007cde0$28ef86d9@laptop1">news:021c01c2bcda$d007cde0$28ef86d9@laptop1... > try looking at sessions, > > if they don't have a login session id send them to the login page otherwise > they are logged in so let them see the page. > > works for me > > Best Wishes & Happy New Year > > Paul Roberts > [EMAIL PROTECTED] > ++++++++++++++++++++++++ > ----- Original Message ----- > From: "Scott Fletcher" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Wednesday, January 15, 2003 9:07 PM > Subject: Re: [PHP] HTTP_REFERER work without a problem.... > > > It's not a PHP bug. Many PHP programmer tried to their best to use > HTTP_REFERER so they can keep track of which webpages on the current website > did the user last visited. That way, they can keep out the unauthorized > access to the website without first logging in to the website. > > Well, my company's website use both SSL and Session ID. They are good for > starter but they aren't any secure if anyone can make a direct access > without logging in. That's where I use HTTP_REFERER to see what last page > did he or she visited, if the last page being visited is outside of my > company's website then php moved the end user to the login page. It is > pretty effective. > > The common problem with the browsers is that they aren't compactible so > HTTP_REFERER don't alway work right and sometime return a blank if those > three are being used. I had been observing it for a few years. Those three > are 1) HierMenus, 2) location.replace('') and 3) location.href=''. When > either one of these are in use, some browsers return with a blank in > HTTP_REFERER. > > Cheers.... > > "Chris Shiflett" <[EMAIL PROTECTED]> wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > --- Scott Fletcher <[EMAIL PROTECTED]> wrote: > > > Here's what I found so interesting.... > > > > > > This code, $_SERVER['HTTP_REFERER'] have worked without a > > > problem when I use the latest Mozilla build. It even work > > > with the HierMenus, > > location.replace('http://whatever.com'), > > > and location.href = http://whatever.com... > > > > > > This is a good news for PHP everywhere. > > > > > > Unfortunately, Internet Explorer still have this > > > bug....... > > > > What bug is that? > > > > Is there a question here somewhere? I think I am having a > > hard time interpreting it. > > > > Chris > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
