[PHP] secure alternative to HTTP_REFERER
Im looking for info about a secure alternative to the use of $_server['http_refere'] to check in a script from where are arriving $_post vars. any suggestion? Thans a lot. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] secure alternative to HTTP_REFERER
AraDaen wrote: Im looking for info about a secure alternative to the use of $_server['http_refere'] to check in a script from where are arriving $_post vars. You could put a hash value into a hidden field on the form, and also store it in the session. When the form is submitted only accept it if the hashes match. However, this is very easy to get around, so I suggest you consider why you think you need this level of checking. Assuming you're properly validating and escaping all input coming from outside the app, IMHO this type of security should not be needed. -Stut -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] secure alternative to HTTP_REFERER
Stut wrote: You could put a hash value into a hidden field on the form, and also store it in the session. When the form is submitted only accept it if the hashes match. However, this is very easy to get around, so I suggest you consider why you think you need this level of checking. Assuming you're properly validating and escaping all input coming from outside the app, IMHO this type of security should not be needed. It can useful when you want to verify intent, which is an important consideration these days: http://shiflett.org/articles/cross-site-request-forgeries (I have an update that I need to publish, but this should be enough to explain the potential problems this technique can help prevent.) Chris -- Chris Shiflett http://shiflett.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] secure alternative to HTTP_REFERER
Thanks guys now i know what must i do :) Chris Shiflett escribió: Stut wrote: You could put a hash value into a hidden field on the form, and also store it in the session. When the form is submitted only accept it if the hashes match. However, this is very easy to get around, so I suggest you consider why you think you need this level of checking. Assuming you're properly validating and escaping all input coming from outside the app, IMHO this type of security should not be needed. It can useful when you want to verify intent, which is an important consideration these days: http://shiflett.org/articles/cross-site-request-forgeries (I have an update that I need to publish, but this should be enough to explain the potential problems this technique can help prevent.) Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] secure alternative to HTTP_REFERER
On Tue, April 24, 2007 9:35 am, AraDaen wrote: Im looking for info about a secure alternative to the use of $_server['http_refere'] to check in a script from where are arriving $_post vars. any suggestion? HTTP_REFERER is not even reliably sent on all browser, much less useful as a security device... So you're kind of like asking for a valid replacement of a bicycle chain used as an ice cream cone to start with... If you want to be certain that a user has come from a previous page, and you control the output of that page, it's pretty easy, really... You can generate a unique id (http://php.net/uniqid) and embed that in any FORM or A tags (or JS code) as well as in your DB, and then compare the token they send with what you have. It's no guarantee that somebody else didn't sniff the HTTP exchange and is spoofing that they are the original recipient, however... If you have no control over the previous' page HTML, there's nothing you can do at all, and HTTP_REFERER is pretty un-reliable. -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php