[PHP] HTTP_REFERER reliability
I have a small login form on the home page of my site. At the moment, when people enter their user details and hit 'send', they go to another page which check their details and, if they are successful, prints a welcome message. The problem is, they are now on this page and have to work their way back to the home page. I can provide a link for this, of course, but that limits the number of pages that can have such a login panel, because I have to hand-code the return link. I've experimented using $_SERVER['HTTP_REFERER'] which seems to work here. If the user enters valid login details, the session vars are set and they are bounced automatically back to the original page - which is fab. But the manual says that HTTP_REFERER is unreliable, so I'm intrigued to know exactly what the problems are. Any ideas? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] HTTP_REFERER reliability
But the manual says that HTTP_REFERER is unreliable, so I'm intrigued to know exactly what the problems are. Any ideas? The HTTP_REFERER field is retrieved from the HTTP Referer: header as used in the HTTP protocol. This field is set entirely by the client browser / application retrieving the data. There is nothing to stop the client from adding malformed, incorrect or spoof data into this field - and thus possibly faking entry to the data you are protecting. You cannot rely on this field to be accurate, correct or even populated. -- Dan Hardiker [EMAIL PROTECTED] ADAM Software Systems Engineer First Creative -- Dan Hardiker [EMAIL PROTECTED] ADAM Software Systems Engineer First Creative -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] HTTP_REFERER reliability
As you are already using sessions, you can store the original page in a session variable rotsky wrote: I have a small login form on the home page of my site. At the moment, when people enter their user details and hit 'send', they go to another page which check their details and, if they are successful, prints a welcome message. The problem is, they are now on this page and have to work their way back to the home page. I can provide a link for this, of course, but that limits the number of pages that can have such a login panel, because I have to hand-code the return link. I've experimented using $_SERVER['HTTP_REFERER'] which seems to work here. If the user enters valid login details, the session vars are set and they are bounced automatically back to the original page - which is fab. But the manual says that HTTP_REFERER is unreliable, so I'm intrigued to know exactly what the problems are. Any ideas? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] HTTP_REFERER reliability
Anyone can send any referer (sic) header to your script. It shouldn't be used for checking if someone is trying to hack the script, but it should be find in your case. rotsky wrote: I've experimented using $_SERVER['HTTP_REFERER'] which seems to work here. If the user enters valid login details, the session vars are set and they are bounced automatically back to the original page - which is fab. But the manual says that HTTP_REFERER is unreliable, so I'm intrigued to know exactly what the problems are. Any ideas? -- The above message is encrypted with double rot13 encoding. Any unauthorized attempt to decrypt it will be prosecuted to the full extent of the law. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php