The HTTP Protocol provides the header REFERER containing the last visited URL by the user. Sometimes this is very useful, but also a security risk. All information of an query string appended to the URL by a ? are send to another server.
Especially this is a risk when the programmer of a PHP script transfer a session ID in this querystring. All servers linked , e.g. in an members section, can read out the session ID by using the referer header.
Imagine you linked the www.big-bad-hacker.com, a script on this server discover by calling a script that you came from www.my-good-site.com/members.php?session_id=123456789 and now opens in the same script the members site and download some security related information from your members site, e. g. the members credit card number.
Here the code Solution:
Set all links as follows: <a href="dereferer_script.php?site=%original site%"> replace %orginial site% with the original link, e.g. www.big-bad-hacker.com.
<? header("Location: " . $site ); ?>
Easy but useful, if you use session managment like in PHP4 you can forget the dereferer.
Excuse failures in this text, my english is not perfect.