Hi,
I wrote a little regular expression that compares the $_SERVER['HTTP_REFERER'] against a pattern i made. The point of it is to only allow the script to be ran off of my domain.
Anyways, the whole idea is pointless if a http_referer can be faked, so is it possible?
Thanks!
google is your friend..
Any request header can be faked.
though only good programmer, hax0rs , skr1pt kidd3s know abt it (generally)
1) YOU CANNOT MAKE A PHP SCRIPT THAT IS UNCONDITIONALLY SECURE. This is because it runs on a web server which has security flaws, using the php engine which has security flaws, over the http protocols which have security flaws, on an operating system that has security flaws.
2) YOU CAN MAKE A PHP SCRIPT THAT IS COMPUTATIONALLY SECURE. So your script will be penetrable but it will be significantly difficult that the hacker won't bother.
3) ANY SYSTEM IS ONLY AS STRONG AS ITS WEAKEST LINK. Make your program more secure then the rest of the system and you're in good shape.
Well, you can not rely on HTTP_REFERER. A good start would be to encrypt a session variable and check it is comming OK.
Originally posted by abx_2112
Well, you can not rely on HTTP_REFERER. A good start would be to encrypt a session variable and check it is comming OK.
yes that's a great start it's so much harder to load one of your pages in a hidden frame then it is to fake the http_referer.
yes that's a great start it's so much harder to load one of your pages in a hidden frame then it is to fake the http_referer.
Care to explain?
hidden frame.... no border, no width, no height. would set the session variable. you could then load the image........
Originally posted by abx_2112
Care to explain?
FYI : reget download manager allows you to fake the referer (I sometimes use it to test my code)
I feel I was (am) completely ignorant in this subject. I'm afraid I didnt give enough thought to the problem, so i deserve the sarcasm 
yes that's a great start it's so much harder to load one of your pages in a hidden frame then it is to fake the http_referer.
anyway, thinks for the info drawmack 
Originally posted by abx_2112
I feel I was (am) completely ignorant in this subject. I'm afraid I didnt give enough thought to the problem, so i deserve the sarcasm
anyway, thinks for the info drawmack
My sarcasm is not intended to offend. NP about the info
Wouldn't it be a better idea to set up admin privaleges in your database and set the page to check the cookie name against the database and see if that user has sufficient access to be allowed onto a page?
there is another problem with HTTP_REFERER. If a valid user is grabbing the file from your site as intended, it still may fail becuase some proxies will not send the referring page in the headers. You could be keeping legitimate users from seeing what you want them to see.
Bottom line, if you make a file public on your site, it's basically public for everyone to find. you can only do so much to limit usage, but a determined person will always find a way, unless you protect everything via htaccess.
Uh, you resurrected a six-year-old thread to show that you got the wrong end of the stick?
There's a stick to be had?
Shameless +1 
