According to the spec:
$HTTP_REFERER
The address of the page (if any) which referred the browser to the
current page. This is set by the user's browser; not all browsers will set
this.
So if it is set by the user's browser, it can be changed, or shut off.
I believe there are programs out there that block that env var so people do
not leave tracks within a site as well. Look at tucows.com for such programs.
Typically, if a user went through 5 pages to sign up and is on the sixth
page, I wouldn't worry about someone forging that too much. I'd be more
worried about referrer not being set and then not allowing them to signup
because of that. You can always set a variable like $PAGENUM in your code on
the second last page and session register it, then check for it on the last
page. If it exists, do your thing and destroy the session. If it does not
exist, you can take the desired action. Combine this with the HTTP_REFERER
and I would think you should be fairly safe....but remember, the HTTP_REFERER
could be empty, whereas the session var should be trusted as it is coming
from your own site.
On Friday 17 August 2001 09:34 am, you wrote:
>
> Thanks. But is using $HTTP_REFERER the most secure way of doing it? Or can
> the $HTTP_REFERER be forged and thus gaining unauthorized access to the
> forms?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
