[PHP] HTTP_REFERER security implications?

2003-03-10 Thread Tom Woody
I am working on a simple authentication script, where the user submits a
login and password, the credentials are checked and the user is
redirected to another script.  The new script checks the HTTP_REFERER
and if its the original script it continues, otherwise it stops with a
message about being unauthorized.

What kind of security implications may I be backing myself into?  I want
to try and stay away from cookies, and as small as this is I think
Session management is a little overkill.  The average user isn't going
to spend much more than 1 or 2 minutes on the site (not much for them to
see or do).  I have seen this method used on other sites, but I prefer
to check with the experts first.

thanks,

-- 
Tom

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] HTTP_REFERER security implications?

2003-03-10 Thread Kevin Stone
- Original Message -
From: Tom Woody [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, March 10, 2003 9:53 AM
Subject: [PHP] HTTP_REFERER security implications?


 I am working on a simple authentication script, where the user submits a
 login and password, the credentials are checked and the user is
 redirected to another script.  The new script checks the HTTP_REFERER
 and if its the original script it continues, otherwise it stops with a
 message about being unauthorized.

 What kind of security implications may I be backing myself into?  I want
 to try and stay away from cookies, and as small as this is I think
 Session management is a little overkill.  The average user isn't going
 to spend much more than 1 or 2 minutes on the site (not much for them to
 see or do).  I have seen this method used on other sites, but I prefer
 to check with the experts first.

 thanks,

 --
 Tom

Yes I have read that the HTTP_REFERER can easily be faked by controlling the
name on a proxyserver (although I have never done so myself).  Once set up
all you have to do is post through an idential form and voila, you're in.  A
good analogy of the level of security we're talking about is a common door
lock... enough to keep out the casual individual but a thiefe can enter with
little or no trouble.  And isn't it the thieves you're worried about?
-Kevin



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



RE: [PHP] HTTP_REFERER security implications?

2003-03-10 Thread Don Read

On 10-Mar-2003 Tom Woody wrote:
 I am working on a simple authentication script, where the user submits a
 login and password, the credentials are checked and the user is
 redirected to another script.  The new script checks the HTTP_REFERER
 and if its the original script it continues, otherwise it stops with a
 message about being unauthorized.
 
 What kind of security implications may I be backing myself into?  I want
 to try and stay away from cookies, and as small as this is I think
 Session management is a little overkill.  The average user isn't going
 to spend much more than 1 or 2 minutes on the site (not much for them to
 see or do).  I have seen this method used on other sites, but I prefer
 to check with the experts first.
 

If they use a proxy that doesn't send HTTP_REFERER, It'll break things. 
My numbers say it happens about about 15% of the time:

mysql select count(*) from hit where urlid=0;
+--+
| count(*) |
+--+
|83082 |
+--+
1 row in set (0.53 sec)

mysql select count(*) from hit;
+--+
| count(*) |
+--+
|   541557 |
+--+
1 row in set (0.00 sec)


Since you don't want to use sessions, maybe 401 WWW-authenticate method
would work better for your application.

Regards,
-- 
Don Read   [EMAIL PROTECTED]
-- It's always darkest before the dawn. So if you are going to 
   steal the neighbor's newspaper, that's the time to do it.

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php