[dev] Fwd: [Bug 1246] New - session hijacking using referer URL

Eric Rostetter eric.rostetter at physics.utexas.edu
Thu May 15 05:54:53 PDT 2003


Quoting Jan Schneider <jan at horde.org>:

> I don't think that would be a problem, and I can't see how to let the
> dereferer know that the user comes from Horde without tacking another
> hijackable information.

Not reliably.  That is, the point is to nuke the referer, and hence we
would expect to be able to tell by the referer.  However, the referer
can be faked or omitted, so we can't depend on it being there.

The concept of abuse worries me slightly, but the fact that sites like
yahoo do this and don't seem to have problems makes me think it probably
isn't a hugh problem in real life...
 
> Jan.
> 
> --
> http://www.horde.org - The Horde Project
> http://www.ammma.de - discover your knowledge
> http://www.tip4all.de - Deine private Tippgemeinschaft
> 
> --
> Horde developers mailing list
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: dev-unsubscribe at lists.horde.org
> 


-- 
Eric Rostetter
The Department of Physics
The University of Texas at Austin

Why get even? Get odd!


More information about the dev mailing list