[PHP] HTTP_REFERER security implications?
I am working on a simple authentication script, where the user submits a login and password, the credentials are checked and the user is redirected to another script. The new script checks the HTTP_REFERER and if its the original script it continues, otherwise it stops with a message about being unauthorized. What kind of security implications may I be backing myself into? I want to try and stay away from cookies, and as small as this is I think Session management is a little overkill. The average user isn't going to spend much more than 1 or 2 minutes on the site (not much for them to see or do). I have seen this method used on other sites, but I prefer to check with the experts first. thanks, -- Tom -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] HTTP_REFERER security implications?
- Original Message - From: Tom Woody [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, March 10, 2003 9:53 AM Subject: [PHP] HTTP_REFERER security implications? I am working on a simple authentication script, where the user submits a login and password, the credentials are checked and the user is redirected to another script. The new script checks the HTTP_REFERER and if its the original script it continues, otherwise it stops with a message about being unauthorized. What kind of security implications may I be backing myself into? I want to try and stay away from cookies, and as small as this is I think Session management is a little overkill. The average user isn't going to spend much more than 1 or 2 minutes on the site (not much for them to see or do). I have seen this method used on other sites, but I prefer to check with the experts first. thanks, -- Tom Yes I have read that the HTTP_REFERER can easily be faked by controlling the name on a proxyserver (although I have never done so myself). Once set up all you have to do is post through an idential form and voila, you're in. A good analogy of the level of security we're talking about is a common door lock... enough to keep out the casual individual but a thiefe can enter with little or no trouble. And isn't it the thieves you're worried about? -Kevin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] HTTP_REFERER security implications?
On 10-Mar-2003 Tom Woody wrote: I am working on a simple authentication script, where the user submits a login and password, the credentials are checked and the user is redirected to another script. The new script checks the HTTP_REFERER and if its the original script it continues, otherwise it stops with a message about being unauthorized. What kind of security implications may I be backing myself into? I want to try and stay away from cookies, and as small as this is I think Session management is a little overkill. The average user isn't going to spend much more than 1 or 2 minutes on the site (not much for them to see or do). I have seen this method used on other sites, but I prefer to check with the experts first. If they use a proxy that doesn't send HTTP_REFERER, It'll break things. My numbers say it happens about about 15% of the time: mysql select count(*) from hit where urlid=0; +--+ | count(*) | +--+ |83082 | +--+ 1 row in set (0.53 sec) mysql select count(*) from hit; +--+ | count(*) | +--+ | 541557 | +--+ 1 row in set (0.00 sec) Since you don't want to use sessions, maybe 401 WWW-authenticate method would work better for your application. Regards, -- Don Read [EMAIL PROTECTED] -- It's always darkest before the dawn. So if you are going to steal the neighbor's newspaper, that's the time to do it. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php