"Rob" <reply_@news_group.please> schreef in bericht
news:e85a4$43897adf$3ec20fe0$6928@news.chello.nl.. .
>
> "C." <colin.mckinnon@gmail.com> schreef in bericht
> news:1132922910.710523.64410@o13g2000cwo.googlegro ups.com...
>>> I think this is a security issue because you can make a
>>> script which call the lookup.php script on the server each time with
>>> different values for the form.
>>
>> Yes - your assumptions about HTTP and subsequent code has created a
>> security issue for your application. There is no wider issue - HTTP is
>> a stateless protocol.
>>
>> Rik's suggestion:
>>> 1. Make 2 (md5(microtime()) (sort of like username/password
>>> 2. Put them in a session and a db on the referrer-site.
>>
>> offers no advantage over using a session properly. In this scenario,
>> the authentication process is that the user must have visited the main
>> page before a post to lookup.php is processed. All you have to do is
>> record this state in the session. Using md5 and microtime and other
>> crypto stuff just adds fluff.
>>
>> Here's some code:
>>
>> index.php:
>> $_SESSION['index_visited']=1;
>>
>> lookup.php:
>> if (!$_SESSION['index_visited']) {
>> header("location: $redirect"); // NB you should probably check
>> the HTTP protocol
>> // level and do a 302/303/307 as appropriate - IIRC
>> header("Location...) always returns a 302
>> }
>>
>> C.
>>
>
> Then again if the person will not go to the lookup page directly but visit
> some other pages first the session index is set. Then if the person goes
> to the lookup page (through an other page) the lookup.php is processed
> because the session index is set some where in the session. This means if
> you want this to work you have to unset the session index in all other
> pages.
>
> or do I miss something?
>
> Rob
>
Rob, I think you'r right.

John