Sebastian Stadtlich said:
>there is an option in php ini :
>
>session.referer_check =
>
>which should fit your needs
>
>not sure how to use it, but probably one of the php-developers on this
>list can assist...
I looked at this thing and can't figure out that it does very much.
If someone makes a web page that contains a link to my site that
contains the PHPSESSID=... then that session id will be invalid.
However, if they just type the same string into their browser by
hand, it is accepted?
It seems that there is no stopping session spoofing if using the URL
method. The only work around is to expire sessions quickly or to
require that cookies be used?
--
Bill Rausch, Software Development, Unix, Mac, Windows
Numerical Applications, Inc. 509-943-0861 [EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
