"adam beecher" said:
> Also, a query - most sites tend to use forms-based authentication - why? It
> would seem that using HTTP_AUTH, particularly with PHP ($PHP_AUTH_USER &
> $PHP_AUTH_PW available in the symbol table). Does it place extra load on the
> server or something?
I can't see a problem with it IMHO, apart from Fergal's point -- it's
restricted in how you look up the username/paswords on the server.
Also there's a minor point of how pretty the auth dialog is; some sites
would prefer a nice-looking web page I guess.
Also it generally requires mucking about with .htaccess or /etc/httpd/conf
files, which a lot of sites don't like doing -- or maybe their hosting
companies don't let them do?
> You've set my mind whirring
> though - what about HTTP_REFERER? If the user doesn't have a HTTP_REFERER that
> matches against the site itself, they're obviously coming from somewhere they
> shouldn't be, so I can send them an error, right? Can you spoof HTTP_REFERER?
You should always check HTTP_REFERRER from now on, there's been a spate of
possible attacks discussed recently involving:
1. user goes to your site, logs in, and reads some embedded
from evilguy at evil.com in your webmail system or summat.
2. JS sends user to a third-party page, which then uses the referrer from
your page to construct a request using your authenticated login to do
nasty stuff on your site.
Btw REFERRER is spoofable but if you check it, you'll avoid that problem
Justin Mason Work: http://www.netnoteinc.com/ <jm at netnoteinc.com>
Personal: http://jmason.org/ <jm at jmason.org>
"It's true that some sharks get cancer. I said this in my book."
-- William Lane, author of _Sharks Don't Get Cancer_
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!