https & controlling access to a form2mail script

id10t

I've written a simple generic form2mail script. I only want it to be usable if the form that points to it lives on one of my servers (or a client, etc).

I've used the HTTP_REFERER to make sure the referring server is an "ok" one, but I have a problem when the referring site is using https (like our course delivery system, etc). Apparently, the HTTP_REFERER is coming in blank from the sites that use https...

I can't set cookies (too many users who don't know how to do it), and sessions are out as well (no scripting on the static web page servers).

Any ideas? Below is the snippet that checks to be sure everything is OK... I don't think it will be relevant, but it may help.

function check_referer(){
	// allowed_http_referers contains an
	// array of servers allowed to use the
	// form that are not in one of my
        // domains

include 'allowed_http_referers.php';
if (isset($_SERVER['HTTP_REFERER'])) {
	$url=parse_url($_SERVER['HTTP_REFERER']);
 	if(in_array($url['host'],$allowed_referers) ||
	  (eregi(".mydomain.com$",$url['host'])) ||
	  (eregi(".myotherdomain.com$",$url['host']))){
		return true;
	}
}
return false;
}

bastien

what about $_SERVER['SERVER_NAME']?

if (($_SERVER['SERVER_NAME'] != "my_domain.com")||($_SERVER['SERVER_NAME'] != "my_other_domain.com")){
	 echo "piss off, hackers!"; 
	die(); 
}

id10t

the servername refers to teh machine the php script is running on, not the referring machine.

Thanks though!

id10t

bump