GoFuckYourself.com - Adult Webmaster Forum - View Single Post

buran · 04-08-2003, 10:22 AM

Well there's a goddamn big difference between the two.

Yes, http referring spoofing is a problem. There are solutions, but like most things HTTP related they're ugly. Your best option is to setup and use transparent session handling, like PHP does native since PHP4. (or was it 3?) If the user has cookies disabled all your URL's are rewritten to include the sessionid in the request.

No HTTP referer checking for intra-site authentication is just stupid. The real problem is in inter-site handoffs of authenticated users. This is problem which still needs a proper solution.

04-08-2003, 10:22 AM
buran Confirmed User Join Date: Mar 2002 Location: how'd I get here? Posts: 264	Well there's a goddamn big difference between the two. Yes, http referring spoofing is a problem. There are solutions, but like most things HTTP related they're ugly. Your best option is to setup and use transparent session handling, like PHP does native since PHP4. (or was it 3?) If the user has cookies disabled all your URL's are rewritten to include the sessionid in the request. No HTTP referer checking for intra-site authentication is just stupid. The real problem is in inter-site handoffs of authenticated users. This is problem which still needs a proper solution. __________________ [this signature intentionally left blank]