At 03:05 01/06/00, adam beecher wrote:
>POST is no good in a "real" environment - people need to be able to click
>around
>in regular links and carry their session with them.
fair enough.
> I could of course simulate
>that with a hidden form and JavaScript event handlers, but that would be slow.
>And it has to be 100% downwards compatible too. You've set my mind whirring
>though - what about HTTP_REFERER? If the user doesn't have a HTTP_REFERER that
>matches against the site itself, they're obviously coming from somewhere they
>shouldn't be, so I can send them an error, right? Can you spoof HTTP_REFERER?
Yes, I have done. Basically anything that is passed from the client can be
spoofed.
> > I think the way around it is HTTP_AUTH or cookies. I think people tend not
> > to use HTTP_AUTH as it is (or at least was) a lot less flexible. Basically
> > restricted to looking up a passwd file, whereas CGI could do anything.
> > These days when you can stick Perl right into Apache guts (instead of
> > having to write modules in C) you can do HTTP_AUTH whatever way you like
> > with ease but that sort of Apache trickery is still not widespread and so
> > people just do all the auth in their CGI scripts?
> >
>Same goes for cookies as for JavaScript above - I'll use 'em if they're
>available but I have to be downwards compatible. I'm still curious about
>HTTP_AUTH though, and why people don't use it more widely. The only downside I
>can see is that the user stays logged in until the browser is closed, but I've
>seen Webmin (Perl) get around that, and I'm sure I can figure out how they did
>it.
I'm pretty sure it's possible to log someone out alright, have a look at
the HTTP RFC, but if you're worried about compatibility make sure you're
looking at HTTP 1.0 or even 0.9!
>And as you said, it's much easier these days - it doesn't just have to be a
>passwd file, or even "real" HTTP_AUTH. There's mod_perl, as you mentioned
>above;
>mod_php; and the lesser known, greater-spotted mod_auth_mysql, written by Ralf
>Engelshall (author of mod_ssl, mod_rewrite and plenty of the core Apache
>code).
>So if it's easier, and everybody knows it's easier, why aren't people
>doing it?
>Just because no-one else is?! :)
I think 1) below answers your question.
>1) Use PHP HTTP_AUTH. Unfortunately though, this won't work with the CGI
>binary,
>which is a problem because the app will be released, and an awful lot of
>people
>are parked on virtual servers with CGI binaries.
>>2) Use HTTP_REFERER to check for valid referers. But I have this niggle at the
>back of my mind that there's a loophole there I'm not seeing.
Can be spoofed and if someone knows the session ID they could easily
construct a "valid" referred unless you also included some sort of randomly
changing ID which would be an awful mess and would break simple things like
the Back button.
I really think this is the exact problem cookies were designed to solve.
How many people are using non-cookie browsers or have cookies disabled?
Don't all the big web mail sites use cookies?
>No sweat. Just get up later. Pretty soon you'll be into a routine, and you
>won't
>be *able* to sleep before four. :)
I'm already in that routine, just the real world barged in and got me out
of bed early this morning!
Fergal
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
