[nycphp-talk] Forms & Refresh Question & General Form Security
Ophir Prusak
ophir at prusak.com
Fri May 16 16:23:38 EDT 2003
To answer your question, all the major browsers support http referer, but
the real issue is that the browser sends the server this data, and there is
no way you can verify it. The cURL library even allows you to send any data
you want as the http refer string.
I wouldn't be to worried if you're using this for something like a
guestbook, but if %100 reliable security is needed, you need to use
something else.
What you can do is encode the current time stamp (with something strong) and
pass that as a variable.
That way you can tell if someone tries to use an old string.
> Chris,
>
> Thank you for you comment. What are some of the browsers that do not
support
> http_referrer?
>
> Pinyo
>
More information about the talk
mailing list