Hi again Rasmus, thanks for your reply.
Rasmus Lerdorf <[EMAIL PROTECTED]> said:
> I wasn't trying to be overly critical, I just worry that new users are
> reading these posts and see these insecure solutions to this problem and
> don't realize that they are inherently insecure.
>
I understand Rasmus, and don't worry, I wasn't being overly-sensitive.
However as I said, I'm not looking for the ultimate authentication solution
here, I'm looking for the best I can possibly do - without making it too
awkward - in a forms- and sessions- based situation. What I have difficulty
with is understanding how the thousands of websites I mentioned manage it
without being overly concerned about security. Or is that the problem -
they're not concerned enough, and we should all be using PKI's? For regular
websites though, I think that might be overkill, especially when a huge
majority of people don't understand even the fundamentals of security and
encryption. (I tried to explain it to my Dad last night, it was painful but
productive. :)
> Well, "pretty hard to spoof" is very relative. It is basically security
> through obscurity. From the description you just provided it is trivial
> to spoof it. Remember that the HTTP_REFERER comes from the client and can
> very easily be spoofed.
>
I know security through obscurity is a bad thing (or at least it's *seen* as
a bad thing. I don't necessarily subscribe to it being inherently bad, just
something that should be used with care) but in this case I have to clench my
teeth, put my hands over my head and say I think you're missing my point, or
that you're not following me fully.
I realise that the HTTP_REFERER can be spoofed - quite easily in fact, I
could spoof it myself in a few lines of PHP code - but the chances of Eve
guessing the right HTTP_REFERER to send are pretty remote, don't you think?
Unless they're standing behind Alice and looking over her shoulder - in which
case Alice's security is compromised anyway - Eve isn't going to know which
page Alice last visited. So the only way Eve could take over Alice's session
is to visit every page on the site using Alice's session ID. And if Alice is
still browsing the site, it makes it even harder, because Alice will be
moving the target around.
Yes, it's security through obscurity, but isn't is so obscure that It Just
Might Work? Please, I'm not saying your wrong here, I'm genuinely interested
in your opinion. If you think I'm wrong, tell me, I'd prefer to know. And if
you have a better solution for the problem I'm facing, I'd love to hear about
it. I just have a blank wall in front of me and I can't find my sledge. :)
adam
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
