| Package home | Report new bug | New search | Development Roadmap | Status: Open | Feedback | All |
| Request #8877 | Security issue: Preventing session hijacking | ||
|---|---|---|---|
| Submitted: | 2006-10-06 14:29 UTC | ||
| From: | lyric680-web at yahoo dot de | Assigned: | |
| Status: | Open | Package: | Text_Wiki2 |
| PHP Version: | 5.0.5 | OS: | Linux |
| Roadmaps: | (Not assigned) | ||
[2006-10-06 14:29 UTC] lyric680-web at yahoo dot de
(Cyril)
Description:
------------
When Text_Wiki is integrated in a site that allows a session id to be transmitted through urls the session id would also be sent to external sites through the referer by the users browser.
This can be prevented by using a local or external derefer (http://en.wikipedia.org/wiki/Dereferer).
For this all external urls like 'http://www.google.com' have to be translated to something like 'http://derefer.php?url=http://www.google.com'.
AFAIK Text_Wiki does not support such a translation yet.
Comments
[2006-10-06 16:03 UTC] lyric680-web at yahoo dot de
Maybe a render configuration key 'href' for the 'url' rule would be a solution:
setRenderConf('xhtml', 'url', 'href', 'http://derefer.php?url=%s');