Re: •Re: $ENV{HTTP_REFERER} Problem on a Windows Client

You are right. I used the referer in a "crude" way to determine if my session id is directly called or passed from a script. I was avoiding the possibility of session hijacking or replaying where one simply replay a session_id from the browser history and there he goes... doing stuffs he's not supposed to do.

Though my session id's are set to expire after "n" minutes, is there another sanity check besides using a "trivial" referrer?

Comment on Re: •Re: $ENV{HTTP_REFERER} Problem on a Windows Client

Replies are listed 'Best First'.
•Re: Re: •Re: $ENV{HTTP_REFERER} Problem on a Windows Client by merlyn (Sage) on May 24, 2004 at 12:15 UTC
To avoid replay attacks, use my "one click" processing technique. That'll also verify that it was a fresh form submission, and not forged from somewhere else. -- Randal L. Schwartz, Perl hacker Be sure to read my standard disclaimer if this is a reply.	[reply]
Re: •Re: Re: •Re: $ENV{HTTP_REFERER} Problem on a Windows Client by soon_j (Scribe) on May 24, 2004 at 12:43 UTC
Thanks! It's an excellent article.	[reply]