I guess you are saying that trying to have my php script send the users browser html headers to stop caching is not really going to solve my problem. I did put a block rule in my firewall for the attackers ip address and that stopped the attach from recurring.
But to make sure it don't happen again I am adding a Captcha Security Code Random-Noisy-Images to the screen. This uses a randomly generated graphic image to stymie auto-submission scripts. -----Original Message----- From: gerald_clark [mailto:[EMAIL PROTECTED] Sent: Monday, March 13, 2006 12:13 PM To: [EMAIL PROTECTED] Cc: Mysql Subject: Re: users browser caching the screen fbsd_user wrote: >Now I know what I am going to talk about is not directly related to >this mysql list, but I am in need of some concept ideas. > >To set the background. It’s a very common practice in the >registration process of a new user to verify the users email address >is valid by sending a email to the entered email address with a link >in it to a screen that updates the users emailed verified flag in >his table record. I have such a process. > >Once a week I review my apache activity log and I noticed a lot of >log records for the file that process the link to update the users >email verified flag, (over 1500 from same ip address). > >To me this looked like an attack to break into my web application. >Research and testing indicates that the screen is Cached by the >users browser and he is changing the passed link info repeatedly in >effort to break in. This screen is the only one that does not have >session security control because it’s launched from the verify email >I sent him. > >Now my registration sign up screen has a Captcha Security Code >Random-Noisy-Image and part of that is a string of headers to the >browser to stop caching. They look like this. > >// send several headers to make sure the image is not cached >// taken directly from the PHP Manual > >// Date in the past >header("Expires: Mon, 26 Jul 1997 05:00:00 GMT"); > >// always modified >header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT"); > >// HTTP/1.1 >header("Cache-Control: no-store, no-cache, must-revalidate"); >header("Cache-Control: post-check=0, pre-check=0", false); > >// HTTP/1.0 >header("Pragma: no-cache"); > >Now my desire is to somehow have the screen that is the target of >the email link to issue these headers before displaying its html >code so the user can not any longer run a script against this screen >trying to break in. > >Is this possible and if so how. Is this kind of attack happening to >anyone else? > >Thanks for any help you can offer. > > > > > You have no way of knowing it the user is running a browser at all. He could have grabbed the page once, and run a script that pretends to be a browser. -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED] -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]
