Chat Bubble

PHP

  • RSS
Viewing 1 to 5 (5 Total)
referrer spoofing

shawn

shawn
Total Posts: 21
Joined: Apr 2011

Anyone know of a way to foil referrer spoofing?
It's just way to easy to beat the ole $_SERVER['HTTP_REFERER'] check. Antone have an idea on a better check?
I have a form script in an admin system that I am trying to protect pretty strongly.
I thought about doing an ip check, and if the ip is not in an array of acceptable ip's then killing the script and make them answer some security questions. if they pass, their ip will be added to an array...if they fail those questions 3 times then that ip gets logged and blocked.
easy enough to script that, but i hate to make the client keep doing that if they are on different computers....plus I don't know what would happen on the instance of a xxs...would the ip check even work? the script that I am trying to protect is on a standalone script...not a form posting back to itself

Tags:
Posted on September 19, 2011 at 2:46 PM
Display Messages: Threaded     Flat
4 Replies

Admin

Admin
Total Posts: 65
Joined: Apr 2011

re: referrer spoofing

Might be a link here that can help you buddy, not my area of expertise tongue out

Posted on September 20, 2011 at 7:42 PM

Ttz

Ttz
Total Posts: 39
Joined: Aug 2011

re: referrer spoofing

I am not sure if this will help with your security goals. But for referrer spoofing and if the referrer will be within the same PHP site I would keep track of which page was last loaded in a _SESSION or a database.

<php
session_start();
$_SESSION['pages_completed']['introduction'] = true;
$_SESSION['current_chapter'] = 0;
/*
pages
- introduction
- Chapter 1
- Chapter 2
- Chapter 3
...
*/
>

<php
session_start();
if ($_SESSION['pages_completed']['introduction'] == true) {
//They completed the introduction now let's keep track
//of the chapters
if ($_SESSION['current_chapter'] == 1) {
//Let's gather chapter 1 materials
} else if ($_SESSION['current_chapter'] == 2) {
//Let's gather chapter 2 materials
}
}
>

Just an example

Posted on September 22, 2011 at 7:32 PM

Ttz

Ttz
Total Posts: 39
Joined: Aug 2011

re: referrer spoofing

If the standalone form_processing.php should only be only run from within an admin_panel system within the same site then I would check if the user is logged in and has credentials to access this form_processing.php

<?php
session_start();

/*
my admin_panel system stores the user information
in an array _SESSION['user']
*/

if (isset($_SESSION['user']) && is_array($_SESSION['user'])) {
//Yup a user is logged in
if ($_SESSION['user']['permission_level'] == 'admin')) {
//Yup it is an administrator let's run the code I wanted
}
}
?>

Posted on September 22, 2011 at 8:01 PM

Ttz

Ttz
Total Posts: 39
Joined: Aug 2011

re: referrer spoofing

Maybe for a bit extra security that is also a little laid-back, and for this example I just say there is only one admin which is me, I would have my script monitor my first few logins and track the ip address range I use such as 192.168.20.0 (which I know is 0.0.0.255 subnet).

But ip logging is most widely used for logging purposes.

Then after my first few logins for the break-in period let's tighten up the security by asking a few security questions and ask if using a public computer (Might be using a computer at the library or a friends computer or my other computer at home).

Might also help to use a cookie to store some kind of ticket that my script issued. This would help if I were to use my laptop at work or a public library.

Posted on September 22, 2011 at 8:23 PM