•Re: $ENV{HTTP_REFERER} Problem on a Windows Client

REFERER is trivially forged, and unreliable as you've seen. It's only for logging, and unusable as the basis for a security scheme.

You'll have to make a hidden field or something to know that your second form was coming from your first response.

Comment on •Re: $ENV{HTTP_REFERER} Problem on a Windows Client

Replies are listed 'Best First'.
Re: •Re: $ENV{HTTP_REFERER} Problem on a Windows Client by soon_j (Scribe) on May 24, 2004 at 12:04 UTC
You are right. I used the referer in a "crude" way to determine if my session id is directly called or passed from a script. I was avoiding the possibility of session hijacking or replaying where one simply replay a session_id from the browser history and there he goes... doing stuffs he's not supposed to do. Though my session id's are set to expire after "n" minutes, is there another sanity check besides using a "trivial" referrer?	[reply]
•Re: Re: •Re: $ENV{HTTP_REFERER} Problem on a Windows Client by merlyn (Sage) on May 24, 2004 at 12:15 UTC
To avoid replay attacks, use my "one click" processing technique. That'll also verify that it was a fresh form submission, and not forged from somewhere else. -- Randal L. Schwartz, Perl hacker Be sure to read my standard disclaimer if this is a reply.	[reply]
Re: •Re: Re: •Re: $ENV{HTTP_REFERER} Problem on a Windows Client by soon_j (Scribe) on May 24, 2004 at 12:43 UTC
Thanks! It's an excellent article.	[reply]