php3-list | 199908

Re: [PHP3] Security Questions (long post) From: Kristian Köhntopp (kk <email protected>)
Date: 08/31/99

Christian Feichtner wrote:
> (GetCleanURL($HTTP_REFERER) !=
> "http://$SERVER_NAME:$SERVER_PORT$REQUEST_URI") or
> (!is_int($securityvar)) or

checking for the referer is very easily spoofed. It is as hard as telnetting to
port 80 of your webserver and typing the request manually, for example

telnet target.server.at 80
Connected to ...

GET /script.php3 HTTP/1.0
Host: target.server.at
Referer: http://some.host.i.want/to/spoof/IMONAMISSIONFROMGOD.HTML

and thats about it.

> - Any better ideas (and i am sure there are some).

Use PHPLIB. You get a system for authentication which is completely independent of the underlying webserver and operating system and which is much more secure that checking for IPs and referers. PHPLIB implements persistent variables, that is, variables which life longer than a single page and which are kept ON THE SERVER. That way you can remember when the user logged in, what his name is and other things. PHPLIB contains a class named Auth which takes care of all this.

Kristian 

-- 
Kristian Köhntopp, NetUSE Kommunikationstechnologie GmbH
Siemenswall, D-24107 Kiel, Germany, +49 431 386 436 00
Using PHP3? See our web development library at
http://phplib.shonline.de/ (GPL)

-- 
PHP 3 Mailing List <http://www.php.net/>
To unsubscribe, send an empty message to php3-unsubscribe <email protected>
To subscribe to the digest, e-mail: php3-digest-subscribe <email protected>
To search the mailing list archive, go to: http://www.php.net/mailsearch.php3
To contact the list administrators, e-mail: php-list-admin <email protected>