[Previous] [Next] [Index]
[Thread]
Re: HTTP "Referer" field considered harmful
Goran Oberg writes:
>
> To omit everything after a question mark would not solve the problem. It
> could give a false sense of security and that's something I think we
> should try to stay clear of.
>
> In the case of SATAN it wouldn't do any good as SATAN URLs are in the
> form
> http://<localhost>:<unknown_high_port_number>/<unknown_magic_cookie>/<path>
> and would be revealed all the same. So anyone running SATAN using the
> WWW- interface shouldn't connect to other servers in the midst of a
> SATAN-session.
If its not using a form with method=get all the time, then you are right,
my solution wouldn't fix the problem.
This is what session-ID's/cookies will be good at solving. There is a
good discussion going on in www-talk about just this topic if anyone cares
to drop in.
> PS. s/SATAN/SANTA/g if ( $OFFENDED ); (-:
heh. What if santa offends me too? s/SANTA/NASTA/g ? :)
-Bill P.
References: