Package home | Report new bug | New search | Development Roadmap Status: Open | Feedback | All

Request #8877 Security issue: Preventing session hijacking
Submitted: 2006-10-06 14:29 UTC
From: lyric680-web at yahoo dot de Assigned:
Status: Open Package: Text_Wiki2
PHP Version: 5.0.5 OS: Linux
Roadmaps: (Not assigned)    
Subscription  


 [2006-10-06 14:29 UTC] lyric680-web at yahoo dot de (Cyril)
Description: ------------ When Text_Wiki is integrated in a site that allows a session id to be transmitted through urls the session id would also be sent to external sites through the referer by the users browser. This can be prevented by using a local or external derefer (http://en.wikipedia.org/wiki/Dereferer). For this all external urls like 'http://www.google.com' have to be translated to something like 'http://derefer.php?url=http://www.google.com'. AFAIK Text_Wiki does not support such a translation yet.

Comments

 [2006-10-06 16:03 UTC] lyric680-web at yahoo dot de
Maybe a render configuration key 'href' for the 'url' rule would be a solution: setRenderConf('xhtml', 'url', 'href', 'http://derefer.php?url=%s');
 [2011-03-27 19:37 UTC] User who submitted this comment has not confirmed identity
If you submitted this note, check your email.If you do not have a message, click here to re-send
MANUAL CONFIRMATION IS NOT POSSIBLE.  Write a message to pear-dev@lists.php.net
to request the confirmation link.  All bugs/comments/patches associated with this

email address will be deleted within 48 hours if the account request is not confirmed!