On 3 Apr 2001 21:02:34 -0700, Les Neste <[EMAIL PROTECTED]> wrote:
>Correct me if I'm wrong, but isn't it possible to fake the referrer?
Quite easily, even when doing it by hand using telnet or netcat.
>This may not matter for your application -- are you writing a financial app
>or a personal portfolio? -- but if you really need to authenticate the
>source of data that comes from some other IP address (as is the case with a
>web browser) then you're into PGP keys and signed certificates.
s/PGP/SSL/. Although it's not anywhere near as common, SSL supports client
certificates. Normally, we only see the server certificate which lets you know
who the server is - client certificates allow the server to do the same thing.
I've been meaning to setup a demo of this for awhile, but you should be able to
read the verified certificate info from the webserver environment, which makes
controlling access rather simple for your scripts.
The downside is the need to get client certificates on every client system,
which is expensive and inconvenient. While setting up your own CA eliminates
the former concern, there's little which can be done about the latter.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
