RE: [PHP] HTTP_REFERER security implications?

2003-03-10 Thread Don Read

On 10-Mar-2003 Tom Woody wrote:
> I am working on a simple authentication script, where the user submits a
> login and password, the credentials are checked and the user is
> redirected to another script.  The new script checks the HTTP_REFERER
> and if its the original script it continues, otherwise it stops with a
> message about being unauthorized.
> 
> What kind of security implications may I be backing myself into?  I want
> to try and stay away from cookies, and as small as this is I think
> Session management is a little overkill.  The average user isn't going
> to spend much more than 1 or 2 minutes on the site (not much for them to
> see or do).  I have seen this method used on other sites, but I prefer
> to check with the experts first.
> 

If they use a proxy that doesn't send HTTP_REFERER, It'll break things. 
My numbers say it happens about about 15% of the time:

mysql> select count(*) from hit where urlid=0;
+--+
| count(*) |
+--+
|83082 |
+--+
1 row in set (0.53 sec)

mysql> select count(*) from hit;
+--+
| count(*) |
+--+
|   541557 |
+--+
1 row in set (0.00 sec)


Since you don't want to use sessions, maybe 401 WWW-authenticate method
would work better for your application.

Regards,
-- 
Don Read   [EMAIL PROTECTED]
-- It's always darkest before the dawn. So if you are going to 
   steal the neighbor's newspaper, that's the time to do it.

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] HTTP_REFERER security implications?

2003-03-10 Thread Kevin Stone
- Original Message -
From: "Tom Woody" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, March 10, 2003 9:53 AM
Subject: [PHP] HTTP_REFERER security implications?


> I am working on a simple authentication script, where the user submits a
> login and password, the credentials are checked and the user is
> redirected to another script.  The new script checks the HTTP_REFERER
> and if its the original script it continues, otherwise it stops with a
> message about being unauthorized.
>
> What kind of security implications may I be backing myself into?  I want
> to try and stay away from cookies, and as small as this is I think
> Session management is a little overkill.  The average user isn't going
> to spend much more than 1 or 2 minutes on the site (not much for them to
> see or do).  I have seen this method used on other sites, but I prefer
> to check with the experts first.
>
> thanks,
>
> --
> Tom

Yes I have read that the HTTP_REFERER can easily be faked by controlling the
name on a proxyserver (although I have never done so myself).  Once set up
all you have to do is post through an idential form and voila, you're in.  A
good analogy of the level of security we're talking about is a common door
lock... enough to keep out the casual individual but a thiefe can enter with
little or no trouble.  And isn't it the thieves you're worried about?
-Kevin



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php