Okay, this may sound like a stupid question, but this actually is a real life situation I gotta sort out.
The company I work for is using a rather outdated online shop software (PHP) which is hosted on the companys server. Unfortunately, the source code is encrypted and the CMS does not allow me to add some PHP code either, so I guess I'm stuck with JavaScript on this one.
Let's say we have a huge sale start coming up and people start sharing links via YouTube, Twitter, and so on. Due to the software being made somewhere in the last century, some links still contain session IDs which will definitely be shared by some users. This, however, will result in multiple users placing orders on the same customer account or even worse, overwriting existing customer accounts with new customer data.
I know that this situation is far from ideal and that the software definitely needs and update, but this is not an option at the moment. I also know that I'm not getting a 100% solution, so I'm just gonna try to prevent people from accidentally wrecking some customer data.
That being sad, I though about checking the URL for a Session ID and checking the value in document.referrer aswell. If the URL contains a Session ID and the referrer is some other server than ours, I'll just do a quick redirect to the main landing page. Again: This is meant to prevent the average user from accidentally logging into someone elses account due to clicking on a bad link, I'm not trying to prevent proper session hijacking here.
Any ideas on this one? Are there any situations where the referrer might not contain actual values, e. g. the browser not sending referrers at all? Any other ways to sort this out using JavaScript only?
