-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
At 2:23 PM -0400 9/8/00, Aaron Johnson wrote:
>a) the link actually goes to a local page that then pulls the unique code for
>that user and appends it to the
>URL for the domain2.net site and they are sent with the unique code via post.
>domain2.net then looks up the info for unique code in the shared session
>database. Along with the code as the key the session database also would hold
>the user name and "clearance" of the user (possibly other fields like IP) and
>the server would also check the HTTP_REFERER to see if it is in the "valid"
>list.
Note that that is neither secure nor reliable. HTTP_REFERER can be
trivially forged, and reloads cause it not to appear at all. That's
why I recommend an encrypted version of the login information in the
URL. You can encrypt a timestamp with it, or allow a given
encryption key to be used only once, so as to ensure that the URL
can't be reused by a third party. Remember too that anything you
pass in the URL will end up in your log files--do you trust everyone
who can get access to those? Are they kept secure?
>Is it hard to spoof a HTTP_REFERER?
Trivial.
>Is it as easy as sending a modified header?
Yes.
- --
Kee Hinckley - Somewhere.Com, LLC - Cyberspace Architects
(Now playing: http://www.somewhere.com/playlist.cgi)
I'm not sure which upsets me more: that people are so unwilling to accept
responsibility for their own actions, or that they are so eager to regulate
everyone else's.
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com>
iQA/AwUBOblXOiZsPfdw+r2CEQJ1qACfeRX8RNhAFIGWPzYNS4P96Je5oEsAn1ds
0XDzJ4RJdpHZhueoyjXvQzvZ
=OHRN
-----END PGP SIGNATURE-----
