[nycphp-talk] Chris Shiftlett's Session Example
Chris Shiflett
shiflett at php.net
Sat Aug 6 17:14:43 EDT 2005
Joseph Crawford wrote:
> # Make sure the user agent is correct
> $ua_should_be = urldecode ( $parsed_cookie [ 'ua' ]);
> if ( $_SERVER [ 'HTTP_USER_AGENT' ] != $ua_should_be )
> {
> $identity_validated = false ;
> }
>
> does that seem redundant to anyone else?
It's not a particularly good example, since an attacker can pretty
easily determine the format of the cookie string and spoof it.
However, it's meant to illustrate the basic idea of consistency
checking. Inconsistencies in a client's request are reason for
suspicion, although legitimate users may send slightly inconsistent
requests due to HTTP proxies and weird browser behavior (IE sends a
different Accept header when you reload a page) on occasion. So, make
sure your "punishment" is mild. :-)
Hope that helps.
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/
More information about the talk
mailing list