|
|
Posted by Jerry Stuckle on 06/02/07 01:37
e_matthes@hotmail.com wrote:
> On Jun 1, 7:55 am, Jerry Stuckle <jstuck...@attglobal.net> wrote:
>> Iván Sánchez Ortega wrote:
>>> e_matt...@hotmail.com wrote:
>>>> I keep reading that $_SERVER['HTTP_REFERER'] can easily be faked. Is
>>>> that true of all server variables, or just some of them? In
>>>> particular, I'm wondering if server_port can be faked.
>>> Unless your HTTP server runs in more than one port, that's pretty difficult.
>>>> I'm interested right now because I want to detect whether the current
>>>> page request is using http or https.
>>> Don't. Set up your web server to serve different pages over HTTP and over
>>> HTTPS.
>> Why would you ever do that? There's no reason why pages which don't
>> require security can't still be served over https.
>
> There's no harm done serving over https, except I keep reading that
> it's more resource-intensive than http. That makes sense, because
> encrypting and decrypting seems like more work than simply sending and
> receiving. Why have a user browse the whole site over a secure
> protocol when they only need to log in over a secure protocol? It's
> not a critical issue for my low-volume site, so these are probably
> semantics anyway.
>
Yes, but if you're pushing the limit enough that the difference between
http and https protocols causes your site to fall over, you're going to
die soon, anyway. And most of your users won't be using https unless
required, anyway.
My response was just directed at Ivan's comment that you should serve
different pages to http and https protocols. I see no reason why you
should do that.
>>>> I realize there are other ways to ensure the correct delivery of pages
>>>> over https using directory management and htaccess, but I also want to
>>>> understand the server variables better.
>>> Server variables are pretty simple: Whenever the web server receives a
>>> request for a PHP page, it spawns (or dispatches) a thread running the PHP
>>> interpreter. That thread will receive the complete URL, any posted data,
>>> and a handful of information. That "handful of information" is the $_SERVER
>>> variables.
>> Some $_SERVER variables (i.e. HTTP_REFER, HTTP_USER_AGENT) come from the
>> user. Others (i.e. PATH, SERVER_NAME) are generated by the server.
>
> Both of these explanations clarify server variables. Thank you. So
> do I understand correctly that the http_ variables can be faked
> because they come from the user, but other variables like server_name
> and php_self are quite reliable because they come from the server?
>
>
>
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
Navigation:
[Reply to this message]
|