Looking through the php.ini file brought me to the following setting:

; Check HTTP Referer to invalidate externally stored URLs containing ids.

I looked in the manual and found this explanation:

"session.referer_check contains the substring you want to check each HTTP
Referer for. If the Referer was sent by the client and the substring was not
found, the embedded session id will be marked as invalid. Defaults to the
empty string."

This sounds like it will do what you are trying to do.


-----Original Message-----
From: Analysis & Solutions [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, March 19, 2002 10:03 AM
To: PHP List
Subject: Re: [PHP] sessions not so secure..solution?

On Tue, Mar 19, 2002 at 08:37:43AM -0800, PHP freak wrote:

> BUT - it's actually happening often that someone linking to our store
> from their own website is including the long SESSID in the URL
> that links to us, to that everyone who follows that link from
> that website is getting the same shopping cart!

Two things.  First, tell the person linking to you to take the session 
id out of the link.  Second, rework your system to more precisely track 
things.  Here's what I track in my system:

  User Agent
  Referer = Last Page Viewed



                PHP scripts that make your job easier
         SQL Solution  |  Layout Solution  |  Form Solution
 T H E   A N A L Y S I S   A N D   S O L U T I O N S   C O M P A N Y

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to