|
Posted by Chris Shiflett on 09/22/05 01:53
Steve Lefevre wrote:
> No, it's not. They're totally separate machines at different ISPs.
In this case, a user's session is stagnant for the duration of their
trip to the other server. I'm guessing that users are typically only
there for a brief moment, but this is something to keep in mind. Is
there a way that some of your users might spend more time than you
expect at the development site?
> > Checking Referer is useless, because everyone knows what you
> > expect it to be.
>
> I'm not following you. How would anyone know what it should be?
> Do you know what it should be?
Heh. :-) Sorry about the ambiguity.
What I mean is that people are only likely to know where your
spell-checking thing is if they use your site. These people, by using
your site, are going to know what the expected Referer is. Does that
make more sense?
In order to highlight how useless checking the Referer is, I often point
out that making the attacker choose between heads and tails offers more
protection. The attacker is only going to be right about half the time
instead of all the time.
> That could be, but it consistently affects only one user on her
> home computer, but not on her work.
That's unfortunate. Your best bet might be to log everything you can -
all HTTP headers for each request, all session activity, etc. If you
can't reproduce the problem yourself, it's going to be very hard to
debug (as I'm sure you've noticed).
> I guess I'm confused about what cross-site scripting is
No problem - I thought you might have just left out something.
Cross-site scripting is something else.
By the way, you might consider using session_set_save_handler() to write
your own session handling functions (temporarily), so that you can add
more logging. I've found this to be helpful when debugging extremely
sophisticated session problems.
Hope that helps.
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/
Navigation:
[Reply to this message]
|