Using http_referer for security

StillKnow

Howdy,

I apologize if this issue has been adressed before. I wasn't able to find a specific answer using the search option.

Basically I want to use the http_referer variable to ensure that people who use my script are executing it from my site.

For example, let's say I have a guestbook coded in PHP. It will involve a HTML form where people fill out name, email etc. In theory, anyone can save this HTML form, put it on their own website, execute it, and then add a new entry to my guestbook that way. However, obviously I only want one to be able to do that, by executing the form from my own website.

To ensure that I have used the http_referer variable. However, this header info is often removed when the client uses software such as ZoneAlarm, Norton Internet Security and XP's own Firewall software - to name a few.

Thus, my question is: if I can't use http_referer, how can I ensure that my script is being "fed" with data from a form placed on my OWN website?

tsinka

Hi,

a possible way could be to use a session and to create a hash (like e.g. a md5 hash) and use that hash on the form.

Create that hash with e.g. the md5 function and store it in a session. Then put that hash in a hidden field on that form. Additionally, modify your scripts so that they invalidate the hash after a given time (some minutes so users have enough time to type the text).

With that, users trying to submit an entry need to have a valid session and a valid hash in their form. Even if people put a form on their web site, they need to have the session info, the hash and only have some minutes until the hash becomes invalid.

Thomas

StillKnow

Thomas,

That is a very good idea, thank you.

However, the hash would most likely have to be stored as a cookie on the client side. So if the user doesn't accept this cookie (or if firewall software blocks it for them), it would become a problem.

Thanks though!

tsinka

Hi,

you don't need to store the hash on the client side. The only cookie that gets stored on the client side is the session cookie if PHP is set up to use session cookies. The session data itself is stored server side only. So in order to use that hash add it as hidden field in the form. By invalidating the hash after some time you can make sure that the hash can't be used too long.
You might want to configure PHP so that a session invalidates as soon as a user closes the browser.

Thomas

drawmack

This is a pretty good idea, however [man]curl[/man] could be used to dynamically retrieve and display your guestbook form on their site and bypass just about any security you place on it.

I would say that you probably don't have to worry about this. What are the chances that someone is going to save your guestbook form and put it on their site, seems kind of stupid to me.

What you should try to protect against is auto-posters (i.e. those things that spam every forum on these boards from time to time). The best way to protect against those is with some sort of a.i. text parsing that validates the entry against a code words list and if the score is over a certain amount it doesn't allow the post. Basically research spam filters used on email programs and write a slim version of that for your guestbook.

StillKnow

Yeah, I was actually going to use this for a discussion board script based on PHP/MySQL. I just used the example of a guestbook to simplify things.

Indeed, one thing I wanted to prevent with http_referer was "external" spamming.

Thanks for the tips.

I'm also having a lot of problems with cookies when a user is running ZoneAlarm but that's probably difficult to solve..

drawmack

Originally posted by StillKnow
I'm also having a lot of problems with cookies when a user is running ZoneAlarm but that's probably difficult to solve..

I don't know about that I run zone alarm and don't have any issues with cookies either in development or practice. How many zone alarm user's have you tested your stuff against. BTW: my http referer also works.