Re: HTTP "Referer" field considered harmful

• To: Goran Oberg <Goran.Oberg@dc.luth.se>
• Subject: Re: HTTP "Referer" field considered harmful
• From: wmperry@spry.com
• Date: Tue, 25 Apr 95 06:47 PDT
• Cc: wmperry@spry.com, Paul Phillips <psphilli@sdcc8.UCSD.EDU>, www-security@ns2.rutgers.edu
• In-Reply-To: <199504250807.AA01332@goliat.dc.luth.se>
• References: <m0s3ZeL-00000EC@monolith> <199504250807.AA01332@goliat.dc.luth.se>
• Reply-to: wmperry@spry.com

Goran Oberg writes:
> 
> To omit everything after a question mark would not solve the problem. It
> could give a false sense of security and that's something I think we
> should try to stay clear of.
> 
> In the case of SATAN it wouldn't do any good as SATAN URLs are in the
> form
> http://<localhost>:<unknown_high_port_number>/<unknown_magic_cookie>/<path>
> and would be revealed all the same. So anyone running SATAN using the
> WWW- interface shouldn't connect to other servers in the midst of a
> SATAN-session.

  If its not using a form with method=get all the time, then you are right,
my solution wouldn't fix the problem.

  This is what session-ID's/cookies will be good at solving.  There is a
good discussion going on in www-talk about just this topic if anyone cares
to drop in.

> PS.  s/SATAN/SANTA/g if ( $OFFENDED );    (-:

 heh.  What if santa offends me too?  s/SANTA/NASTA/g ? :)

-Bill P.

• Re: HTTP "Referer" field considered harmful
• From: wmperry@spry.com
• Re: HTTP "Referer" field considered harmful
• From: Goran Oberg <Goran.Oberg@dc.luth.se>

• Previous: Re: HTTP "Referer" field considered harmful
• Next: Re: HTTP "Referer" field considered harmful
• Index(es):
  • Index
  • Thread