|
Hey, Admin. You've probably coded the solution already, but I just had to post this followup. If you have access to php.ini, you can set the following:
session.referer_check contains the substring you want to check each HTTP Referer for. If the Referer was sent by the client and the substring was not found, the embedded session id will be marked as invalid. Defaults to the empty string.
Cool, huh? I was looking for something else and came across this . (story of my life) Anyway, on the off chance you haven't written any code to check things yet, this might be a more centralized solution with no coding required. The only thing that bothers me is the wording: "if the Referer was sent by the client". This seems strange. If you cut and paste or type the URL, HTTP_REFERER is null. The same thing if you link to it in an email. I don't know if that's covered by this. A test is the only way to be sure. Either way, be sure and post the solution.
__________________
It takes 2 points to draw a straight line, but at least 3 points to draw a conclusion.
|