Code Forums - View Single Post - Keeping sessions unique when someone links with SESSID?

technobard · 02-12-2005, 06:07 PM

Ender, any link sent to the original surfer (or others) that is either a) clicked on in an email or b) cut and pasted into the browser will have a null HTTP_REFERER. To have a non-null value, the link has to be part of a hosted webpage. You can test this by copying Admin's example link and pasting it into your browser. If you view source for the page, the referrer is null. It's easier to see the difference if you just click on the link and view source first. Look for codenewbie.com at the bottom. Then try the same thing by copying and pasting the URL. This should prevent session hijacking in the way you described.

02-12-2005, 06:07 PM	#15 (permalink)
technobard Centurion Nova Prime Join Date: May 2002 Location: Oak Park, IL (USA) Posts: 287	Ender, any link sent to the original surfer (or others) that is either a) clicked on in an email or b) cut and pasted into the browser will have a null HTTP_REFERER. To have a non-null value, the link has to be part of a hosted webpage. You can test this by copying Admin's example link and pasting it into your browser. If you view source for the page, the referrer is null. It's easier to see the difference if you just click on the link and view source first. Look for codenewbie.com at the bottom. Then try the same thing by copying and pasting the URL. This should prevent session hijacking in the way you described. __________________ It takes 2 points to draw a straight line, but at least 3 points to draw a conclusion.