NYCPHP Meetup

NYPHP.org

[nycphp-talk] back button, page timeout, sessions

Chris Shiflett shiflett at php.net
Fri Jan 30 14:43:56 EST 2004


--- Adam Maccabee Trachtenberg <adam at trachtenberg.com> wrote:
> Roy Fielding would be so proud. If you read the HTTP RFC, you see
> that you're not supposed to alter any content as a result of a GET
> request. See section 9.1.1 of RFC 2616:
> 
> > In particular, the convention has been established that the GET and
> > HEAD methods SHOULD NOT have the significance of taking an action
> > other than retrieval. These methods ought to be considered
> > "safe". This allows user agents to represent other methods, such as
> > POST, PUT and DELETE, in a special way, so that the user is made
> > aware of the fact that a possibly unsafe action is being requested.

This is what he was referring to during my talk, if you remember. :-)

Of course, things in the specification that are left to the developers of
the actual Web clients (Apache, Mozilla, etc.) are more likely to be
adhered to than the things which are left to the Web application
developers. Unfortunately, we can't assume that a GET request is safe.

Rasmus mentioned (with a hint of pride, actually) that he is largely
responsible for this problem, and register_globals is a fundamental
factor. Because PHP developers don't have to even know what the request
method is, they are likely to not pay any attention when deciding whether
to take some important action. This is yet another reason why disabling
register_globals is a good idea.

Chris

=====
Chris Shiflett - http://shiflett.org/

PHP Security Handbook
     Coming mid-2004
HTTP Developer's Handbook
     http://httphandbook.org/



More information about the talk mailing list