Ripe Md wrote: > With referers (HTTP_REFERER) it is easy to takeover sessions in some > Web applications Forums (phpBB) and so far.
The natural conclusion would be that storing such session information as part of the URL is what is evil, not the concept of the referer. It also violates the ideal that URLs should be kept as short and simple as is reasonable, and not contain long strings of unintelligible garbage. In the same vein, most forum software fails to follow the guideline that no HTTP GET should be able to cause a stateful change (such as deleting a post), as was painfully demonstrated by the Google web accelerater debacle. Brian _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
