sessions.referer_check woes

Anon

I'm trying to use the referer_check option to automagically disable the session ID if the referer isn't my own sites (I use 3rd level domain names).

Unfortunately attempts to make it work using ".mydomain.com" and "mydomain.com" aren't working.

For additionally background I'm using user session handling via a MS SQL database. While session cookies are supported, I have my browser set to not allow cookies from the site.

The test I'm executing is to start the session on one computer, then have another computer attempt to load the same URL (including my session in that URL).

If I can't get this to work, I'd appreciate any hints on how to expire the session ID manually and get PHP to assign a new one. Do I just need to clear the session ID system value?

[deleted]

Just log the client's IP along somewhere in your scripts. With every request you check wether the IP is still the same. if it changed, destoy the cookie and start again.

Anon

cookies aren't a factor. While they are supported by the server, I'm blocking them via the browsing client. Session propogation is occuring by imbedding the SID in the URL.

There is no cookie to be destroyed.

Additionally, since the data is being maintained via the database, destroying the cookie would do no good anyways. I need a method of recognizing that the session was hijacked and issuing the visitor a NEW session id. I would like to use the referer_check option as it provides the most bang for the least effort. Additionally, while not as secure, it doesn't have any problems with visitors who are coming to the site via clustered proxy/firewalls which could cause them to have multiple IP addresses within a single session.

[deleted]

"Session propogation is occuring by imbedding the SID in the URL"

A bad move, but it's your choice.

"I would like to use the referer_check option as it provides the most bang for the least effort."

It is also completely unreliable because not all browsers send it by default, and it can be disabled. Also, spoofing the referer is easy as 1 2 3. Spoofing your IP is a lot more difficult.

"Additionally, while not as secure, it doesn't have any problems with visitors who are coming to the site via clustered proxy/firewalls which could cause them to have multiple IP addresses within a single session."

Most proxies (except anonomizers) send the true IP of the request along, because that is the only safe way of recognizing a client.

Anon

Thanks for the info, but I don't suppose you can answer my original question?

I'm still wondering how to invalidate the original session id and issue a new one. I had hoped to get php to do this for me, but baring that, how do I do it manually?