 |
 |
 |
 |
|
|
Date: 08/26/00
- Next message: Mike Green: "Re: [phplib] mod_rewrite for sessionids"
- Previous message: Bernd Neumayr: "Re: [phplib] registered vars broken in PHP4"
- In reply to: messju mohr: "Re: [phplib] mod_rewrite for sessionids"
- Next in thread: Mike Green: "Re: [phplib] mod_rewrite for sessionids"
- Reply: Mike Green: "Re: [phplib] mod_rewrite for sessionids"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
> that's a good point. And I really have no solution for that Problem yet.
> Disallowing caching and Binding a session to a distinct IP could work in
most
> cases. For sessions that need authentation the problem mentionend above
won't
> occur. Though you should tell your users, that if they bookmark these
pages
> they are boorkmarking access to a autheticated(!) session. This also
occurs
> when bookmarking sessions that propagate their ID via get.
I am going to come up with a patch soon that will mostly solve this problem.
What I'll do is add a new property to the session class called
"check_referer_on_get". If that is set to "yes" or "1", a session id that
comes in as a get variable will be ignored if $HTTP_REFERER isn't a page on
the current site, forcing a new session to be created.
I was bitten badly by this problem earlier this year. A client
(www.patsgold.com) decided to give away a free CD on their site. Numerous
people posted the link to the page on newsgroups and web sites, complete
with a session id. One session had over 900 people register on it before I
shut it down (I literally put code in session.inc to erase the session id if
it was in a list of known posted id's). To make matters worse, I made the
form automatically fill in a user's information, so everybody who went to
that page saw someone else's name, address, and phone number. It was a
nightmare.
I fixed it by hard coding "bad" sessions to be ignored, forced the user to
enter the password again before doing a registration or order (credit card
information is never shown, thankfully), and added "If you're not
first_name_of_login, click here.", which forces a new session to be created.
For those of you who think that this is terrible, note that if you turn off
cookies, go to cdnow.com, login, and send the url to a friend, they'll be
logged in as you if they go to that url within a couple of hours. This
problem isn't limited to phplib, it's just a side effect of using get
variables to track sessions.
For those of you who think that we should just watch ip addresses, watch
someone use your site via AOL sometime :)
Michael
-- Michael Darrin Chaney mdchaney <email protected> http://www.michaelchaney.com--------------------------------------------------------------------- To unsubscribe, e-mail: phplib-unsubscribe <email protected> For additional commands, e-mail: phplib-help <email protected>
- Next message: Mike Green: "Re: [phplib] mod_rewrite for sessionids"
- Previous message: Bernd Neumayr: "Re: [phplib] registered vars broken in PHP4"
- In reply to: messju mohr: "Re: [phplib] mod_rewrite for sessionids"
- Next in thread: Mike Green: "Re: [phplib] mod_rewrite for sessionids"
- Reply: Mike Green: "Re: [phplib] mod_rewrite for sessionids"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]