Well, if you fix #1, that will fix #2 because you can use $_SERVER["HTTPS"], which can't be spoofed by the user. What versions of PHP and Apache are you using, on what OS?
---John Holmes... ----- Original Message ----- From: "George Whiffen" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, May 15, 2002 7:35 AM Subject: [PHP] HTTPS spoofing and $_SERVER > Hi, > > I want to know if the user is connected on a secure socket and have two > problems: > > 1. My Apache (Stronghold), variables are not turning up in $_SERVER or > $HTTP_SERVER_VARS > although they are in $GLOBALS e.g. I have $GLOBALS[SERVER_PORT] but not > $_SERVER[SERVER_PORT]. > This is with track vars and register globals both on. It seems I have > to rely on the $GLOBALS value and be careful with variables_order. > > 2. As well as $SERVER_PORT, I also get $HTTPS, but only if there it is > an HTTPS connect i.e. on a secure connect, $HTTPS == 'on', but on an > insecure connect it is not set. This makes it easy to spoof even with > variables_order set to ECGPS. I could just use $SERVER_PORT, which is > always set and thus not so easily spoofed but then I have to worry if > the secure port changes. > > Any suggestions? > > George > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
