HTTP REFERER and Session

Anon

I had worked on my own session management system with PHP 3.0
I read in PHP manual that not all PHP browsers can set HTTP_REFERER properly.
In my script what I do is,
If there is no HTTP_REFERER or if HTTP_REFERER is not coming form my site or if no session var set, then I creat new session var($session). But if not all browsers can set HTTP_REFERER then what is the work around?

Basically what I want to achive is, if someone tries to pass $session=something in URL from their site to my site, I want to create my own $session var and disregard $session=something.

Anon

Have you considered cookies?

I know cookies are also annoying, BUT ... I guess you can try it.

I don't know any other way to overcome this situation with old browsers which do not set HTTP_REFERER.

And what about proxies or programs like wget? They web retrievers never pass in any info except HTTP GET, so what happens when someone tries to access session through a really old proxy or a program like wget? Even cookies wont help. So I assume you'ld have to trust the host by it's IP.

What you can do:
once the person is logged in:
- record their IP and when they last accessed a page on the server.
- if they access another page after a timeout has reached (e.g. 30 minutes), give a timeout warning and restart session.
- If their IP changes when they try to access a consistent session, restart the session.

hmm, aside from those pointers I cannot think of anything else....

-Sridhar