Join Up! 104875 members and counting!

Login To PHPBuilder User Name: Password: Register A New Site Account * NOTE: This is for logging into the main site only! To login to the forums, click here

Linux Today Enterprise Linux Today Apache Today JustLinux.com Linux Planet PHPBuilder All Linux Devices Hiermenus DatabaseJournal Technology Jobs Covalent Extends Apache 2.0 to Microsoft ASP.NET ShopWorX - Support for Windows PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and 4.2.1 Network Risk Assessment Full-Featured, Java-Based Apache GUI Test Driven Development in PHP Using XML: A PHP Developer's Primer, Part 4, Section 2 Use Zend Framework Action Helpers to Reduce PHP Code Redundancy In Case You Missed It...The Month of July In Case You Missed It...The Month of March 2007

php3-list | 199908

From: Kristian Köhntopp (kk <email protected>)
Date: 08/31/99

• Next message: Alexandr Lopatin: "[PHP3] Oracle 7, stored procedure and array bindings"
• Previous message: Kristian Köhntopp: "Re: [PHP3] Help with sessions"
• In reply to: Christian Feichtner: "[PHP3] Security Questions (long post)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Christian Feichtner wrote:
> (GetCleanURL($HTTP_REFERER) !=
> "http://$SERVER_NAME:$SERVER_PORT$REQUEST_URI") or
> (!is_int($securityvar)) or

checking for the referer is very easily spoofed. It is as hard as telnetting to
port 80 of your webserver and typing the request manually, for example

telnet target.server.at 80
Connected to ...

GET /script.php3 HTTP/1.0
Host: target.server.at
Referer: http://some.host.i.want/to/spoof/IMONAMISSIONFROMGOD.HTML

and thats about it.

> - Any better ideas (and i am sure there are some).

Use PHPLIB. You get a system for authentication which is completely independent of the underlying webserver and operating system and which is much more secure that checking for IPs and referers. PHPLIB implements persistent variables, that is, variables which life longer than a single page and which are kept ON THE SERVER. That way you can remember when the user logged in, what his name is and other things. PHPLIB contains a class named Auth which takes care of all this.

Kristian

-- 
Kristian Köhntopp, NetUSE Kommunikationstechnologie GmbH
Siemenswall, D-24107 Kiel, Germany, +49 431 386 436 00
Using PHP3? See our web development library at
http://phplib.shonline.de/ (GPL)
-- 
PHP 3 Mailing List <http://www.php.net/>
To unsubscribe, send an empty message to php3-unsubscribe <email protected>
To subscribe to the digest, e-mail: php3-digest-subscribe <email protected>
To search the mailing list archive, go to: http://www.php.net/mailsearch.php3
To contact the list administrators, e-mail: php-list-admin <email protected>

• Next message: Alexandr Lopatin: "[PHP3] Oracle 7, stored procedure and array bindings"
• Previous message: Kristian Köhntopp: "Re: [PHP3] Help with sessions"
• In reply to: Christian Feichtner: "[PHP3] Security Questions (long post)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Columns / Articles | Tips / Quickies | News | News Linking and RSS Feeds | Shared Code Library Mail Archives | Support / Discussion Forums | Get Started! Links | Contribute! | Docs