[SOLVED] $_SERVER['HTTP_REFERER'] Forging

[chronister]

How difficult / easy is it to forge things like $_SERVER['HTTP_REFERER']?

 

I have a script that allows a user to change their password, and I want to find out if relying on $_SERVER['HTTP_REFERER'] to CONFIRM that a user was sent to the page from only 1 particular page which I have a redirect on is secure enough to be trusted in this manner?

 

Any input would be appreciated.

 

Nate

 

 

[radar]

On my site I have a security system in place that i can check things on which in my admin panel is called "hack logs", I use the HTTP_REFERER quite a bit on that and it has yet to let me down.

[john010117]

As stated in the PHP manual, it's not very reliable.

[chronister]

I am using it in combination with a $_GET var. Here is the code I have

 

<?php

$l=explode('/',$_SERVER['HTTP_REFERER']); // grab the referrer & explode it
	$m=count($l)-1; // count the items in the array and subtract 1 to end up with the page name
	$page=$l[$m]; //set the variable for the last item in the array

if(isset($id) && $page=='login.php') // $id comes from a $get var...if that is set and if the referrer
                                                        // page== login.php, proceed.
{

 

I am not completely digging this as it seems to open up some possible holes. Can someone suggest a more reliable way of doing this?

[john010117]

Have this:

$page = $_SERVER['PHP_SELF'];
$_SESSION['page_check'] = $page;

on login.php

 

and on the process page, have something like this:

<?php
session_start();
if($_SESSION['page_check'] == "login.php") {
   unset($_SESSION['page_check']);
   // Proceed
}
else {
   unset($_SESSION['page_check']);
   // Fail - Display an error message
}
?>

[chronister]

Haha

 

I was just about to ask about using sessions instead, I hit reply to ask and got that wonderful

 

"Warning - while you were reading a new reply has been posted. You may wish to review your post" Message.

 

You answered my question before I even asked it. Thanks.

 

Sessions are pretty darn difficult to get around right? I am not passing the session id in the url or anything so sessions are "secure" right?

 

I realize that the next step for *secure* would be SSL, but I don't need to go that route. I can change a few things to make high security not necessary, if need be.

 

 

[john010117]

Yes, people generally say that sessions are more secure than cookies. This piece of code that I've posted is what I generally use on making sure that the form came from my website.

[radar]

Sessions are said to be more secure than cookies for one reason -- A cookie is stored on your system, and may be edited by anyone at any time and thus if you have horrible programming skills and use a cookie you can count on someone figuring out how to get into hidden areas of your website by editing the cookie..

 

a Session -- cannot be edited..  no way no how... 

[john010117]

But if you're on a shared server (like me), other users can potentially hijack an active session (since most shared servers have a common session_save directory).

[radar]

Yes that is true, however someone would somewhat have to be smart in that -- such as at my house, i doubt my wife or my kids could accomplish such things.

[chronister]

Well, I am not worried about wives or kids. Just those who know what the hell they are doing.

 

The change password form takes a user id that is passed via sessions now (was via $_GET). In the form there are 3 fields. Username, Password, & confirm password. In the user name field, I have it pull the username from a database and display it in a disabled text filed so that the person changing the password can see that it's their username they are modifying.

 

With the $_GET id pass, a person could theoretically enter random numbers and collect the usernames that were displayed, so you can see why I want something that would take work to get around. What I am protecting is not top-secret types of documents, but I just wanted to add a layer of security so that people don't get their login credentials hijacked.

 

Sessions are how I am doing it.

 

Thanks for the help folks.