Re: [phplib] OT: Need Auth Advice SOLVED From: Padraic Renaghan (list <email protected>)
Date: 05/22/01

Well, the HTTP_REFERER can be easily spoofed and often
blocked, so you can't really rely on its contents or the
fact that it is present.

That being said, most average users of the web don't know
how to spoof a header (like the referer) and have no inclination
to do so.

As long as you understand the limitations of relying on
the header you'll be fine. 

-- 
Padraic Renaghan /pad-rik ren-a-han/
padraic <email protected>
IM: abuhaina (AOL/Yahoo/MSN) 9437815 (ICQ)
http://renaghan.com/pcr/
lure --> 123sig987 <email protected> <-- don't use

* Bob Bowker <bowker <email protected>> [May 22 11:07am]:

> Hi --
>
> As is often the case, verbalizing the issue yields the answer ... the
> contents of
>          getenv("HTTP_REFERER")
> seem to solve my problem: if it's my own URL, it's a local page requesting
> another, otherwise it's a request from "outside" and I need to refuse entry.
>
> Any holes in this ...?
>
> Bob.
>
> At 10:30 AM 5/22/01 -0700, Bob Bowker wrote:
> >Good Morning --
> >
> >I have a dynamic PHP4 site using MySQL and PHPLib.  The site is currently
> >on-line, working well, available to the general public.
> >
> >We have negotiated an affiliation agreement with a much larger site
> >whereby their users will click on a link from their entry page to our home
> >page and are eligible for a discount on purchases.  The referral will
> >arrive the first time with a Cookie or GET code from the other site, which
> >I will store as a session variable, based on which the unique
> >look-and-feel will be generated and the discount applied - no log-in will
> >be required.
> >
> >The issue is "coming back" - they want us to refuse admission to anyone
> >coming in using a bookmark from one of their affiliation sessions (Cookie
> >or GET variables) - no one should be allowed in as a referral (and thus
> >get the discount) unless they link from their local entry page.
> >
> >(They understand that anyone simply simply typing the URL of our "base"
> >web site will get in with no challenge - or discount! - their concern is
> >anyone "re-using" or "distributing" an authorized session.)
> >
> >I have PHPLib handling session management ... I can handle the refusal at
> >our home page, but I can't seem to get my mind around a functionality that
> >will accommodate the "refuse admission" for someone who has bookmarked an
> >internal page and returns the next day ...
> >
> >~ write a class to make the affiliate timeout at, say, 1 hour, as opposed
> >to the 3 days we give current customers?
> >
> >~ use $REMOTE_ADDR ...?  But doesn't that fail on internal pages - what's
> >the difference between someone coming from page 32 to page 45, and someone
> >coming in with a bookmarked page 45?
> >
> >As I say, the problem is getting my head to visualize the functionality
> >... any advice will be greatly appreciated.
> >
> >TIA ...
> >
> >Bob.
> >
> >
> >---------------------------------------------------------------------
> >To unsubscribe, e-mail: phplib-unsubscribe <email protected>
> >For additional commands, e-mail: phplib-help <email protected>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: phplib-unsubscribe <email protected>
> For additional commands, e-mail: phplib-help <email protected>
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: phplib-unsubscribe <email protected>
For additional commands, e-mail: phplib-help <email protected>