I was thinking to myself what a wonderful world, then I woke up. Afterwards I thought this up.
Okay, suppose you have a social networking site called [url]http://www.friends.com[/url]. Now suppose this site, when you login, stores your PHP session ID as a get variable, i.e.
[CODE]http://www.friends.com/profile.php?SESSID=aaaea***0fa*bc00**df6cedb*7b*cb0[/CODE]
Now, (yes another hypothetical) suppose I posted a link on my profile to my external site [url]http://www.mysitezor.com[/url]. When the other users of the site click it they will be taken to my site. I will have a nice little log file showing refferer information. So, later, shouldn't I be able to go to my log file and see their refferer information, right? It should look like this (psuedo).
[CODE][B]IP[/B] - 6*.***.66.***
[B]Hostname[/B] - <insert random hostname here>
[B]Refferer[/B] - http://www.friends.com/profile.php?SESSID=aaaea***0fa*bc00**df6cedb*7b*cb0[/CODE]
Since the SESSID was stored as a GET var, it shows up right? So shouldn't I be able to login to my Friends.com account and change my cookie's SESSID value to the one that I got from the refferer information, thereby hijacking the victim's session?
Just a theory, feedback would be nice.