Quick Question:
I have a site that i'd like to tighten up the security on.
Register Globals is Off
It uses sessions and every page (bar the login page) that is called does the following
Check that the session is still valid (from db) (this involves checking lots of the users details and the salt that they have in their $_SESSION). IF any of the details fail then they are "thrown out"
😃
Now on POSTS i do the following
Check that the page it came from ($_SERVER['HTTP_REFERER']) is actually on the same server. (Concept was to stop people from running script of their own server)
Check that the user is logged in (see first comment)
Check that the actual request was a POST (as opposed to a get)
Now i am aware that it is possible to spoof the $_SERVER['http_referer'] so my question is this:
If a user is logged in (therefore has valid session in the D😎 and they do a view source and take a copy of a page that (say) allows things to be deleted from the DB and then put it on their own server (or even on jsut teh HDD), how am i going to prevent them gaining access to the actual script. The fact that they have a valid session id will allow them to pass that part of the security.
At the moment i am using the imperfect check of checking the $_SERVER['HTTP_REFERER'] against the sites true location. Any other possible approaches would be swell 😃
Is this the only thing left to do or do i need to do more?
CHeers
GM
