|
|
Posted by Gordon Burditt on 10/26/05 21:37
>Another thought: if the $_SERVER['http_referer'] is quite easy to fake,
>would a hidden field with $_SERVER['REQUEST_URI'] be even more easy to
>fake?
Probably not. Someone trying to DELIBERATELY fake is going to
succeed (without trying particularly hard). But many people running
security software, including those that block HTTP_REFERER, block
it without realizing it, and it may be darned inconvenient to NOT
block it. Also, something as simple as bookmarking a page and going
back to it will mess up HTTP_REFERER, and the user doing it may
have no idea why his login didn't work.
Remember, it is always possible for a user to (a) copy your HTML to
another server and edit it all he wants, or (b) manually type in
HTTP requests using telnet (or perhaps more conveniently, using CURL).
>I'm assuming the members WANT to login. Username & pass are checked
>from the DB, so if either referer, username or pass don't match, the
>user cannot login (as it is now). is there anything wrong with this?
The referer stuff shouldn't be a *security* issue. As you described
it, it's a *convenience*. IMHO, if they give you an invalid referer
(remember, some users can't UNblock it), but a valid username and
password you should pick some reasonable default place to send them
(home page? ok. www.nambla.org? please don't.) after they've
logged in, and send them there. I think it's overly anal-retentive
to refuse a login here. It's much like not letting anyone with a
video display less than 65,000 colors and less than 20/20 vision
see your photographs AT ALL because they don't look their absolute
best, so you subject them to mandatory eye tests.
Why, incidentally, do you even want to refuse to send them back to
the page they logged in from if it's not yours? Sounds like
pretty obnoxious behavior.
>Now i'm also using the $_SERVER['http_referer'] for the logout action.
>It doesn't contain a form, but only requests a page that destroys some
>$_SESSION vars. This way i can send them back to the last page where
>they were logged in.
If you can't send them back to the last page where they were logged
in because the URL looks invalid, pick some place to send them
and send them there. Your home page, perhaps.
Gordon L. Burditt
Navigation:
[Reply to this message]
|