Jump to content

Validating that the person visiting the page is valid

rv20

By rv20
in PHP Coding Help

 Share

Recommended Posts

rv20 Member

rv20

Posted
Posted

If you have say a login.php script, or any script, and want to stop it being run directly, or at least check that the referer is coming from your own site then all i can see to secure it are these, depending if it is a GET ot POST method,

 

$http_referer = parse_url($_SERVER['HTTP_REFERER'], PHP_URL_HOST);

if (  ($http_referer == "domain.com") || ($http_referer = "80.80.80.80.80")  ){}

//POST or GET for example

if ($_SERVER['REQUEST_METHOD'] == "POST")
{}

 

Also how about having a max number of times you an access the page before a lockout, i suppose this would technically be a DOS attack which you would really have to fix at the router??

 

 

Basically i am being paranoid thinking that someone could try and break into your site by using a whole variety of tricks and techniques which i don't really know what tricks are out there so don't know what i am trying to secure against.

 

I suppose there is,

 

xss, css explots, sql injection, query string manipulation??, hacking the db directly, other browser exploits......hmmmm

Garethp Regular Member

Garethp

Posted
Posted

Well, it's best if you do SESSIONS. You can track where people go on your site using SESSIONS and they won't realize it. Their browser can't fake it like they can with POSTS and GETS, and you can use SESSIONS to store how many times people try to log in, how many times people access your page in how many seconds. Anything

KevinM1 Advanced Member

KevinM1

Posted
Posted

Well, it's best if you do SESSIONS. You can track where people go on your site using SESSIONS and they won't realize it. Their browser can't fake it like they can with POSTS and GETS, and you can use SESSIONS to store how many times people try to log in, how many times people access your page in how many seconds. Anything

 

You can also reset a user's session id, which is a smart move when they navigate to and from vital areas of a site.  See: http://www.php.net/manual/en/function.session-regenerate-id.php

PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

HTTP_REFERER can be easily faked (it is just a header that is sent with the http request) so it cannot be relied on for any security purposes.

 

Using session variables to detect failed log in attempts or to count page accesses for any security checking also cannot be relied on because the visitor (or bot script) can simply drop the current session id and establish a new session to reset all the counts.

rv20 Member

rv20

Posted
  • Author
Posted

HTTP_REFERER can be easily faked (it is just a header that is sent with the http request) so it cannot be relied on for any security purposes.

 

Using session variables to detect failed log in attempts or to count page accesses for any security checking also cannot be relied on because the visitor (or bot script) can simply drop the current session id and establish a new session to reset all the counts.

 

This is exactly what i thought and hence what i am asking, so you are saying that session_regenerate_id(); will solve this?

 

If it was a form POST i think you can send a hash in a hidden field i haven't looked into how this works but i assume this method is secure, that leaves a GET request basically....

rv20 Member

rv20

Posted
  • Author
Posted

No, POSTS can be faked too easily. Hidden fields are still shown in the HTML. You can fake a hidden field. GETs are the least secure

 

So what is the point of all these massive hash values you see in sites like youtube, facebook, paypal etc, i am talking about 100's of character long hashes, i think the hash are sent in hidden fields, maybe not though, i just remember looking at source in the past and seeing these huge what, i assume now, were hashes.

gevans Regular Member

gevans

Posted
Posted

A lot of the time hashes are used for renaming files. Or a random string that may appear like a hash. The number of file uploads youtube handles, it needs a way of building its own filenames that will not be the same as another. On a small scale I use a random 6 digit integer attached with a timestamp. My max uploads is 9, so the chances of generating 9 random 6 int numbers and two of them matching is so tiny I don't care about it.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.