I've heard of way too many people relying on HTTP_REFERER thinking it's a secure way to lock things down... so I'll take this chance here and illustrate what I'm talking about. You'll need: netcat (http://www.l0pht.com/~weld/netcat/) and a PHP webserver. Cut and paste the following HTTP request into a file: -------------------------------- GET /referer.php Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.3) Gecko/20010801 Accept: text/xml, application/xml, application/xhtml+xml, text/html;q=0.9, image/png, image/jpeg, image/gif;q=0.2, text/plain;q=0.8, text/css, */*;q=0.1 Accept-Language: en-us Accept-Encoding: gzip, deflate, compress;q=0.9 Accept-Charset: ISO-8859-1, utf-8;q=0.66, *;q=0.66 Keep-Alive: 300 Connection: keep-alive Referer: http://www.yoursecuresite.com/cc_info.html ---------------------------------------------------------------- Modify the "GET" parameter on the first line if you wish to place your script somewhere besides http://webserver.com/test.php Place the following code in test.php: ------------------------------------- The http referer is: <?=$HTTP_REFERER?> ------------------------------------- Now just run: cat <file containing http request> | nc <ip of remote server> 80 ... and watch what the webserver spits back for the $HTTP_REFERER variable. Just change the 'Referer' line and you can make it say whatever you want. If you're on NT just substitute "type" for "cat" in the above command. Everything else should work just the same. If that doesn't scare somebody out of using HTTP_REFERER for security, I don't know what would. And yes, you are right about the POST/rePOST thing being hokey. I wouldn't work with a company that required you to submit data that way. Justin Buist Trident Technology, Inc. 4700 60th St. SW, Suite 102 Grand Rapids, MI 49512 Ph. 616.554.2700 Fx. 616.554.3331 Mo. 616.291.2612 On Mon, 20 Aug 2001, Fotwun wrote: > How, code wise do I retreive the session data from the session id. Also, > another response below said HTTP_REFERRER is not secure. So how do people > who use this type of payment gateway secure the script it redirects to. All > of the data it sends is form data, so once somebody new what script it > redirects to, and what form data it posts, it would be quite easy for them > to authorize their own charges in my opinion. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
