Re: [PHP] HTTPS spoofing and $_SERVER

Wed, 15 May 2002 05:20:20 -0700 

"1LT John W. Holmes" wrote:

> Well, if you fix #1, that will fix #2 because you can use $_SERVER["HTTPS"],
> which can't be spoofed by the user. What versions of PHP and Apache are you
> using, on what OS?
>
> ---John Holmes...
>

Oops,

Just run up phpinfo and this appears to be php 4.0.1pl2, Stronghold 3.0/Apache
1.13.9
and Debian 2.2.20.

I guess the 4.0.1pl2 explains the absence of $_SERVER, but I would still have
expected
it in $HTTP_SERVER_VARS, wouldn't I?

Anyway, it sounds like you've answered my key concern  that HTTPS, and all the
other
Apache variables SHOULD be in $_SERVER, even  if with this stupid *** build
they
aren't.  I suppose I'll just have to rely on $SERVER_PORT not changing for  the
SSL
port until I can manage to persuade the System Administrators to upgrade the
php again.

(My main problem with getting them to keep up to date is that Debian's php
package lags so far
behind, and they really don't like upgrading unless Debian have rubber stamped
it).

Kind regards,

George

>
> ----- Original Message -----
> From: "George Whiffen" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Wednesday, May 15, 2002 7:35 AM
> Subject: [PHP] HTTPS spoofing and $_SERVER
>
> > Hi,
> >
> > I want to know if the user is connected on a secure socket and have two
> > problems:
> >
> > 1. My  Apache (Stronghold), variables are not turning up in $_SERVER or
> > $HTTP_SERVER_VARS
> > although they are in $GLOBALS e.g. I have $GLOBALS[SERVER_PORT] but not
> > $_SERVER[SERVER_PORT].
> > This is with track vars and register globals both on.   It seems I have
> > to rely on the $GLOBALS value and be careful with variables_order.
> >
> > 2. As well as $SERVER_PORT, I also get $HTTPS, but  only if there it is
> > an HTTPS connect i.e. on a secure connect, $HTTPS == 'on', but on an
> > insecure connect it is not set.  This makes it easy to spoof even with
> > variables_order set to ECGPS. I could just use $SERVER_PORT, which is
> > always set and thus not so easily spoofed but then I have to worry if
> > the secure port changes.
> >
> > Any suggestions?
> >
> > George
> >
> >
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to