[ILUG] GET sessions...
fergal at esatclear.ie
Thu Jun 1 03:32:18 IST 2000
At 03:05 01/06/00, adam beecher wrote:
>POST is no good in a "real" environment - people need to be able to click
>in regular links and carry their session with them.
> I could of course simulate
>And it has to be 100% downwards compatible too. You've set my mind whirring
>though - what about HTTP_REFERER? If the user doesn't have a HTTP_REFERER that
>matches against the site itself, they're obviously coming from somewhere they
>shouldn't be, so I can send them an error, right? Can you spoof HTTP_REFERER?
Yes, I have done. Basically anything that is passed from the client can be
> > I think the way around it is HTTP_AUTH or cookies. I think people tend not
> > to use HTTP_AUTH as it is (or at least was) a lot less flexible. Basically
> > restricted to looking up a passwd file, whereas CGI could do anything.
> > These days when you can stick Perl right into Apache guts (instead of
> > having to write modules in C) you can do HTTP_AUTH whatever way you like
> > with ease but that sort of Apache trickery is still not widespread and so
> > people just do all the auth in their CGI scripts?
>available but I have to be downwards compatible. I'm still curious about
>HTTP_AUTH though, and why people don't use it more widely. The only downside I
>can see is that the user stays logged in until the browser is closed, but I've
>seen Webmin (Perl) get around that, and I'm sure I can figure out how they did
I'm pretty sure it's possible to log someone out alright, have a look at
the HTTP RFC, but if you're worried about compatibility make sure you're
looking at HTTP 1.0 or even 0.9!
>And as you said, it's much easier these days - it doesn't just have to be a
>passwd file, or even "real" HTTP_AUTH. There's mod_perl, as you mentioned
>mod_php; and the lesser known, greater-spotted mod_auth_mysql, written by Ralf
>Engelshall (author of mod_ssl, mod_rewrite and plenty of the core Apache
>So if it's easier, and everybody knows it's easier, why aren't people
>Just because no-one else is?! :)
I think 1) below answers your question.
>1) Use PHP HTTP_AUTH. Unfortunately though, this won't work with the CGI
>which is a problem because the app will be released, and an awful lot of
>are parked on virtual servers with CGI binaries.
>2) Use HTTP_REFERER to check for valid referers. But I have this niggle at the
>back of my mind that there's a loophole there I'm not seeing.
Can be spoofed and if someone knows the session ID they could easily
construct a "valid" referred unless you also included some sort of randomly
changing ID which would be an awful mess and would break simple things like
the Back button.
I really think this is the exact problem cookies were designed to solve.
How many people are using non-cookie browsers or have cookies disabled?
>No sweat. Just get up later. Pretty soon you'll be into a routine, and you
>be *able* to sleep before four. :)
I'm already in that routine, just the real world barged in and got me out
of bed early this morning!
More information about the ILUG