there is an option in php ini :
session.referer_check =
which should fit your needs
not sure how to use it, but probably one of the php-developers on this
list
can assist...
sebastian
> -----Ursprüngliche Nachricht-----
> Von: adam (dahamsta) [mailto:[EMAIL PROTECTED]]
> Gesendet: Mittwoch, 27. Juni 2001 19:39
> An: [EMAIL PROTECTED]
> Betreff: [PHP] Stopping stolen / spoofed / linked sessions
>
>
> [Please copy replies off-list.]
>
> I want to use PHP4 sessions for authentication, but I'm
> having difficulty
> understanding how to get around users spoofing, stealing or
> linking sessions.
> Here's an example: Alice sends Bob a link from a site she's
> logged into.
> Alice has cookies turned off in her browser, so the session
> id will be in the
> URL she sends Bob. Eve intercepts the message, follows the
> link and now she
> can take over Alice's session, and any data that is
> associated with that
> session. For that matter, Bob can do the same thing.
>
> I can think of lots of ways around this, but most of them are
> kludges that
> don't really cut it. I can store a second authentication
> value in a cookie,
> but that would require cookies, which isn't acceptable. I
> could propogate a
> second authentication variable in the URL, but that's a lot
> of hassle and
> defeats the purpose of PHP sessions. I can check the
> HTTP_REFERER to see if
> the user came from my own site, but that can be spoofed. I
> can log and check
> the users IP address, but that can't be relied upon.
>
> Is there any reliable way around this? Am I missing something obvious?
>
> Cheers,
> adam
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail:
> [EMAIL PROTECTED]
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
