I am stuck, I am reviewing (,auditing, call it whatever) the SESSION MANAGEMENT of GIDTopsites™ Members' Control Panel when I hit a snag.

Let's say the session ID is in the URL (for members having not enabled cookies), now this member clicks on an external link from the page, surely the session id appears in the HTTP_REFERER environment variable of the new website?

How can I manipulate this not to show? Or would it show at all, though I am certain it would...

__________________
J de Silva
Learning Journal | GIDForums™ | GIDNetwork™ | GIDWebhosts™ | GIDSearch™

I don't believe a session ID from one site will carry to another site unless you are using DB session handling and both sites are accessing the same DB. The URL identifier session ID is for accessing pages on the same site only.

You seem to have misunderstood my post, I am aware they are not appended to ext. links, however, they DO appear in HTTP_REFERER env. variables of the other site. This is the issue... I don't want it to appear:

e.g.

if a member clicks on http://www.example.com (note there's no session id appended to the link of course). However, the webmaster at www.example.com scanning through his traffic analyzer WOULD note that he received a hit from, let's say: http://topsites.gidhelp.com/member_edit.php?s_id=1&s=3hr4hfy59fb835198bfcai9ku 777h ( <- session id). Possible? VERY...

__________________
J de Silva
Learning Journal | GIDForums™ | GIDNetwork™ | GIDWebhosts™ | GIDSearch™

Hmmm...yeah misunderstood what you wanted there...Ok..hmmm...they can't be stripped when logged unless you are using PHP to do your logging. They CAN be stripped and combined with same domain/site whcih don't have them though using some judicious echo's and not a few regex functions...I am not sure of exactly how to do it off the top of my head though.

That's certainly a security problem. There is no way, as far as I know, to prevent the browser sending this ID in the Referral header. Cookies were designed not to give such info to other URLs, hence a better tool.

The only suggestion (bar using cookies too) is for every URL on your site, to point to a redirect page, which strips this from the URL and redirects as normal.

A regexp to intercept a URL (www.google.com), and instead point it to "http://www.desilva.com/redirect?url=http://www.google.com", which redirects you to Google, but also to clear the session ID in the referral bit.

Garth Farley

hmm... interesting angle

but what about that infamous possibility of 'spoofing referrers' that everyone talks about BUT no one seems to be able to explain to me?

__________________
J de Silva
Learning Journal | GIDForums™ | GIDNetwork™ | GIDWebhosts™ | GIDSearch™

Hmmm...of course the other option is to use IP's and a database to track sessions then no need to worry about any of this at all...ie: forget about PHP's built in session handling either write your own or find a DB session handler online somewhere...with session ID's and info stored in the DB along with the IP of the person browsing there is no longer a need to send out your SID in ANY of your URL's including those that are internal to the site.

hey, THAT's an idea! IP, sessions are short term anyway, so I could check the IP, yeah!

__________________
J de Silva
Learning Journal | GIDForums™ | GIDNetwork™ | GIDWebhosts™ | GIDSearch™

Are IPs really that unique. I'm using a University intranet with a leased line to the net, using I think a single IP. Say I log in, wouldn't that mean that every person in the Uni can have access?

But, they would need your session id?

__________________
J de Silva
Learning Journal | GIDForums™ | GIDNetwork™ | GIDWebhosts™ | GIDSearch™