Now I know what I am going to talk about is not directly related to this mysql list, but I am in need of some concept ideas.
To set the background. Its a very common practice in the registration process of a new user to verify the users email address is valid by sending a email to the entered email address with a link in it to a screen that updates the users emailed verified flag in his table record. I have such a process. Once a week I review my apache activity log and I noticed a lot of log records for the file that process the link to update the users email verified flag, (over 1500 from same ip address). To me this looked like an attack to break into my web application. Research and testing indicates that the screen is Cached by the users browser and he is changing the passed link info repeatedly in effort to break in. This screen is the only one that does not have session security control because its launched from the verify email I sent him. Now my registration sign up screen has a Captcha Security Code Random-Noisy-Image and part of that is a string of headers to the browser to stop caching. They look like this. // send several headers to make sure the image is not cached // taken directly from the PHP Manual // Date in the past header("Expires: Mon, 26 Jul 1997 05:00:00 GMT"); // always modified header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT"); // HTTP/1.1 header("Cache-Control: no-store, no-cache, must-revalidate"); header("Cache-Control: post-check=0, pre-check=0", false); // HTTP/1.0 header("Pragma: no-cache"); Now my desire is to somehow have the screen that is the target of the email link to issue these headers before displaying its html code so the user can not any longer run a script against this screen trying to break in. Is this possible and if so how. Is this kind of attack happening to anyone else? Thanks for any help you can offer. -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]