On Thu, 2008-01-31 at 20:24 +0100, Per Jessen wrote: > Richard Lynch wrote: > > >>> It CANNOT be tied to the IP address, because most users' IP > >>> addresses are not static. > >> > >> I think it is for the duration of the session. Mine certainly is. > > > > Yours might be. > > AOL users are *NOT*. > > In peak periods, an AOL users' IP address with change with every HTTP > > request. > > Surely you are joking?? Don't they use DHCP for dishing out addresses? > I guess AOL users just have to do without https during peak hours :-) > > > Further, large corporate users will ALL appear as a single IP address. > > Yes, that's assuming they're using NAT - which many small and large > entities will be, I agree. In such cases, if the session id _is_ > somehow tied to the IP-address, any attempt to hijack the session from > outside the NAT'ed network will fail. > > >> Regardless, I did some googling and read a bit about session > >> hijacking and such. I still don't see much of a serious problem. > >> When Firefox switches off REFERER by default, we can talk again. > > > > Suppose only 0.1% of the Internet users have REFERER off. > > > > You say "That's not much. 0.1%" > > > > Now suppose there are a billion people who use the Internet. > > > > What is 0.1% of a billion? > > > > Do the math. > > 10million. But what I said was that _maybe_ 0.00X% have REFERER > switched off - and 0.001% of 1billion is 10.000 people. I can live > with that. > > > If you have even a few thousand visitors, you are likely getting at > > least a few that have no REFERER... > > Like I said, I can live with that. If people are that paranoid, they > shouldn't be on the internet at all, IMHO.
Not just people. Many firewalls either strip or modify the referrer. Information leakage is a security issue. IMHO referer logging should need to be turned on, not off. Cheers, Rob. -- .------------------------------------------------------------. | InterJinn Application Framework - http://www.interjinn.com | :------------------------------------------------------------: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `------------------------------------------------------------' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
