[nycphp-talk] Experts help needed (Sessions)
Chris Shiflett
shiflett at php.net
Sat Aug 6 16:42:48 EDT 2005
Nestor Florez wrote:
> I trick I use often is that I check the session ID and the referrer
> before allowing the user to continue to the next page.
You should discontinue this practice. It can adversely affect your
legitimate users, and it's a trivial safeguard with negligible value.
Referer is sent by the client. Everyone on the planet knows exactly what
you expect it to be. See the problem?
It would actually be better to make the client choose heads or tails -
at least this can only be guessed correctly about 50% of the time
instead of 100% of the time.
> Is not infalable but it adds an extra layer.
This general approach is a good one (it's called Defense in Depth), but
try to pick a safeguard that has some value.
Hope that helps.
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/
More information about the talk
mailing list