I wasn't trying to be overly critical, I just worry that new users are
reading these posts and see these insecure solutions to this problem and
don't realize that they are inherently insecure.
> What I'm asking is basically "What's the best and easiest way to go about
> this?" I have come up with a solution of sorts though, and I'd be interested
> in your opinion. I set up a user with a PHP session, and of course a timeout.
> If they have cookies turned on, I set another cookie with a hash of the
> username and password, or somthing else. But my final line of defense for
> users that don't have cookies is a URL and HTTP_REFERER comparison check.
> That is, on every request I log the URL requested as a session variable. On
> every subsequent request I compare the HTTP_REFERER with the logged URL, and
> if they match there's a pretty good chance it's not someone spoofing.
> Granted, it's not foolproof, but it'd be pretty hard to spoof, right?
Well, "pretty hard to spoof" is very relative. It is basically security
through obscurity. From the description you just provided it is trivial
to spoof it. Remember that the HTTP_REFERER comes from the client and can
very easily be spoofed.
-Rasmus
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
