JH> are associated with a specific id. First, URLs carrying session ids. If JH> you link to an external site, the URL including the session id might be JH> stored in the external site's referrer logs. Second, a more active JH> attacker might listen to your network traffic. If it is not encrypted, JH> session ids will flow in plain text over the network. The solution here is JH> to implement SSL on your server and make it mandatory for users."
Also I want to note. If sids are accessible via http_referer, there is a way to execute php scripts on behalf of a user. For example, user clicks a link to some php script which will grab sid from referer and then outputs a html with redirect to another script (for example to set a forwarding filter or etc). Since sid is right and also script was called from user's PC, this is a quite bad thing, but unfortunately this still exists on several web based e-mails. So, be careful in using only session mechanisms provided by PHP. It's quite insecure. -- Best regards, Martchukov Anton aka VH mailto:[EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
