> http_host/http_referer from the server in a hash format that is then
> passed with all forms/urls? On the next pages, the hash returned by
> flash would be compared with a hash of the
> cgi.http_host/cgi.http_referer returned by CF/web server. While they
> could fake the http_host/http_referer in the web client, it would be
> different from the value returned by flash, so you could reject it.
>
> I don't know enough about flash to know if that's easy to get around.
Presumably, if it's a hash of the host and referer headers, it would always
be the same for a given host and referer combination, which means that it
would be easy for someone to see what the right value should be and simply
specify the same value in their automated HTTP client.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
phone: 202-797-5496
fax: 202-797-5444
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
