[ILUG] GET sessions...
jm at jmason.org
Thu Jun 1 12:28:32 IST 2000
"adam beecher" said:
> Also, a query - most sites tend to use forms-based authentication - why? It
> would seem that using HTTP_AUTH, particularly with PHP ($PHP_AUTH_USER &
> $PHP_AUTH_PW available in the symbol table). Does it place extra load on the
> server or something?
I can't see a problem with it IMHO, apart from Fergal's point -- it's
restricted in how you look up the username/paswords on the server.
Also there's a minor point of how pretty the auth dialog is; some sites
would prefer a nice-looking web page I guess.
Also it generally requires mucking about with .htaccess or /etc/httpd/conf
files, which a lot of sites don't like doing -- or maybe their hosting
companies don't let them do?
> You've set my mind whirring
> though - what about HTTP_REFERER? If the user doesn't have a HTTP_REFERER that
> matches against the site itself, they're obviously coming from somewhere they
> shouldn't be, so I can send them an error, right? Can you spoof HTTP_REFERER?
You should always check HTTP_REFERRER from now on, there's been a spate of
possible attacks discussed recently involving:
1. user goes to your site, logs in, and reads some embedded
from evilguy at evil.com in your webmail system or summat.
2. JS sends user to a third-party page, which then uses the referrer from
your page to construct a request using your authenticated login to do
nasty stuff on your site.
Btw REFERRER is spoofable but if you check it, you'll avoid that problem
Justin Mason Work: http://www.netnoteinc.com/ <jm at netnoteinc.com>
Personal: http://jmason.org/ <jm at jmason.org>
"It's true that some sharks get cancer. I said this in my book."
-- William Lane, author of _Sharks Don't Get Cancer_
More information about the ILUG