On Tuesday 18 November 2003 14:18, Jason Ziemba wrote: > I'm not going to claim that my method is fool-proof, but.. > If you are using sessions on your site then you should have the ability to > track the movement of a user through-out your system. > > If you record the last page the user was on (with a specific session-id) > and then check the referrer server variable on their next hit. Compare > the referrer to their last known page. Most of the time (depending on the > complexity of your site) the referrer and last known page should match. > If their session is 'hijacked', odds are the 'hijacker' will not be > following in a valid user's footsteps, more likely they will just be > coming at the server with rogue data. The referrer check won't match and > thus the validity of the session request is also void.
Hello, if you open a link in a new tab or a new window and then open a link in the original tab/window, this check will fail and thus lock out legitimate users. Furthermore, it won't really help to improve security as the referer header can easily be spoofed. Regards Jakob _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
