[ILUG] GET sessions...

[Justin Mason]

"adam beecher" said:

> Also, a query - most sites tend to use forms-based authentication - why? It
> would seem that using HTTP_AUTH, particularly with PHP ($PHP_AUTH_USER &
> $PHP_AUTH_PW available in the symbol table). Does it place extra load on the
> server or something?

I can't see a problem with it IMHO, apart from Fergal's point -- it's
restricted in how you look up the username/paswords on the server.

Also there's a minor point of how pretty the auth dialog is; some sites
would prefer a nice-looking web page I guess.

Also it generally requires mucking about with .htaccess or /etc/httpd/conf
files, which a lot of sites don't like doing -- or maybe their hosting
companies don't let them do?

> You've set my mind whirring
> though - what about HTTP_REFERER? If the user doesn't have a HTTP_REFERER that
> matches against the site itself, they're obviously coming from somewhere they
> shouldn't be, so I can send them an error, right? Can you spoof HTTP_REFERER?

You should always check HTTP_REFERRER from now on, there's been a spate of
possible attacks discussed recently involving:

1. user goes to your site, logs in, and reads some embedded
javascript/etc. in one of your pages.  This for example, could be a mail
from evilguy at evil.com in your webmail system or summat.

2. JS sends user to a third-party page, which then uses the referrer from
your page to construct a request using your authenticated login to do
nasty stuff on your site.

Btw REFERRER is spoofable but if you check it, you'll avoid that problem
at least.

--j.

-- 
Justin Mason       Work:  http://www.netnoteinc.com/ <jm at netnoteinc.com>
                   Personal:      http://jmason.org/     <jm at jmason.org>

"It's true that some sharks get cancer. I said this in my book."
	 	   -- William Lane, author of _Sharks Don't Get Cancer_