Looking through the php.ini file brought me to the following setting: ; Check HTTP Referer to invalidate externally stored URLs containing ids. ;session.referer_check
I looked in the manual and found this explanation: "session.referer_check contains the substring you want to check each HTTP Referer for. If the Referer was sent by the client and the substring was not found, the embedded session id will be marked as invalid. Defaults to the empty string." This sounds like it will do what you are trying to do. Jason -----Original Message----- From: Analysis & Solutions [mailto:[EMAIL PROTECTED]] Sent: Tuesday, March 19, 2002 10:03 AM To: PHP List Subject: Re: [PHP] sessions not so secure..solution? On Tue, Mar 19, 2002 at 08:37:43AM -0800, PHP freak wrote: > BUT - it's actually happening often that someone linking to our store > from their own website is including the long SESSID in the URL > that links to us, to that everyone who follows that link from > that website is getting the same shopping cart! Two things. First, tell the person linking to you to take the session id out of the link. Second, rework your system to more precisely track things. Here's what I track in my system: User Agent Time Referer = Last Page Viewed Enjoy, --Dan -- PHP scripts that make your job easier http://www.analysisandsolutions.com/code/ SQL Solution | Layout Solution | Form Solution T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php