You are viewing this forum as a guest. Login to an existing account, or create a new account, to reply to topics and to create new topics.
Brett200 wrote:
Are you saying if someone copies a link (with SID in the url), they can send it to someone else, and the session is active for 15 minutes, so they could click that link and be logged in as that user?
Dave wrote:
No. They would have to be using the same machine that the previous person was using (if there's a mismatch between the SID and the cookie data a new session is created).
Thanks Dave, that's a fair enough response. Maybe I missed something in an earlier post but I think on issues like this users need reassurance.
Offline
You could also check the http_referer and if it is not ccp then ignore the sid and write a new one. This is a simple way to stop sid values passed in from search engine listings, email links, links on other sites from sharing a session. This would NOT fix errors caused by links with the sid embedded being pasted into the ccp skins but that is the only exclusion to the method of sid validating. This would basically do the same thing as sid <=> cookie comparison but is just another layer of validation to reinforce other methods in place.
-Stephen
Offline