Web Hosting Talk : Web Hosting Main Forums : Programming Discussion : remove refferers

[NWSTech]

hello,
ive been having a spate of sites getting hacked because hackers are linking from the site to an image on their sites and then getting the sesson ids of users on my sites from the referrer string in logs - i cannot remove the session ids from the address before anyone asks as the sites are primarily used on mobile devices which do not all support proper php sessions, is their any way i can tell php not to pass a refferer or to change the refferer at all ?

[dhelfman]

Whether a referring URL is sent to a site is decided entirely by the user's web browser. So your PHP script doesn't really have any control over that.

One hack would be to make your links not take the user directly to the destination web site, but instead redirect to another one of your own PHP pages that takes one argument, the actual destination URL, and redirects to that URL immediately. So when your user clicks the link, they're taken to your PHP redirection script, which then forwards them on to their actual external destination.

The benefit is that the browser's referrer URL, as sent to the external web site, will be your PHP redirection page. And if you don't use session IDs at all for that page's URL (since it doesn't need to know or care which user it is), then the referrer URL won't contain the session ID.

Just an idea.