[ILUG] GET sessions...

Thu Jun 1 03:32:18 IST 2000

At 03:05 01/06/00, adam beecher wrote:
>POST is no good in a "real" environment - people need to be able to click 
>around
>in regular links and carry their session with them.

fair enough.

>  I could of course simulate
>that with a hidden form and JavaScript event handlers, but that would be slow.
>And it has to be 100% downwards compatible too. You've set my mind whirring
>though - what about HTTP_REFERER? If the user doesn't have a HTTP_REFERER that
>matches against the site itself, they're obviously coming from somewhere they
>shouldn't be, so I can send them an error, right? Can you spoof HTTP_REFERER?

Yes, I have done. Basically anything that is passed from the client can be 
spoofed.

> > I think the way around it is HTTP_AUTH or cookies. I think people tend not
> > to use HTTP_AUTH as it is (or at least was) a lot less flexible. Basically
> > restricted to looking up a passwd file, whereas CGI could do anything.
> > These days when you can stick Perl right into Apache guts (instead of
> > having to write modules in C) you can do HTTP_AUTH whatever way you like
> > with ease but that sort of Apache trickery is still not widespread and so
> > people just do all the auth in their CGI scripts?
> >
>Same goes for cookies as for JavaScript above - I'll use 'em if they're
>available but I have to be downwards compatible. I'm still curious about
>HTTP_AUTH though, and why people don't use it more widely. The only downside I
>can see is that the user stays logged in until the browser is closed, but I've
>seen Webmin (Perl) get around that, and I'm sure I can figure out how they did
>it.

I'm pretty sure it's possible to log someone out alright, have a look at 
the HTTP RFC, but if you're worried about compatibility make sure you're 
looking at HTTP 1.0 or even 0.9!

>And as you said, it's much easier these days - it doesn't just have to be a
>passwd file, or even "real" HTTP_AUTH. There's mod_perl, as you mentioned 
>above;
>mod_php; and the lesser known, greater-spotted mod_auth_mysql, written by Ralf
>Engelshall (author of mod_ssl, mod_rewrite and plenty of the core Apache 
>code).
>So if it's easier, and everybody knows it's easier, why aren't people 
>doing it?
>Just because no-one else is?! :)

I think 1) below answers your question.

>1) Use PHP HTTP_AUTH. Unfortunately though, this won't work with the CGI 
>binary,
>which is a problem because the app will be released, and an awful lot of 
>people
>are parked on virtual servers with CGI binaries.
>
>2) Use HTTP_REFERER to check for valid referers. But I have this niggle at the
>back of my mind that there's a loophole there I'm not seeing.

Can be spoofed and if someone knows the session ID they could easily 
construct a "valid" referred unless you also included some sort of randomly 
changing ID which would be an awful mess and would break simple things like 
the Back button.

I really think this is the exact problem cookies were designed to solve. 
How many people are using non-cookie browsers or have cookies disabled? 
Don't all the big web mail sites use cookies?

>No sweat. Just get up later. Pretty soon you'll be into a routine, and you 
>won't
>be *able* to sleep before four. :)

I'm already in that routine, just the real world barged in and got me out 
of bed early this morning!

Fergal