SitePoint Sponsor

User Tag List

Page 3 of 3 FirstFirst 123
Results 51 to 53 of 53
  1. #51
    I solve practical problems. bronze trophy
    Michael Morris's Avatar
    Join Date
    Jan 2008
    Location
    Knoxville TN
    Posts
    2,053
    Mentioned
    66 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by oddz View Post
    @iackay

    Using HTTP_X_REQUESTED_WITH for authentication is fundamentally flawed since it can be spoofed. Hopefully its not being used for that purpose otherwise anyone can spoof it and access actions without restrictions if no additional, server-side authentication exist. In that regards its pretty much worthless.
    Well the fact that it's an "HTTP_X_" header should be the first clue that it can be spoofed. I wish PHP had put the elements in $_SERVER that can be altered by the client in an attack in a different superglobal so that the fact they can be changed could be driven home more easily to intermediate programmers - but at this point doing so would be a backwards compat nightmare.

    Any header starting with "HTTP_X_" is custom and setable by the client. In the response there's the reverse of "X_"

  2. #52
    SitePoint Wizard silver trophy kyberfabrikken's Avatar
    Join Date
    Jun 2004
    Location
    Copenhagen, Denmark
    Posts
    6,157
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Michael Morris View Post
    Any header starting with "HTTP_X_" is custom and setable by the client. In the response there's the reverse of "X_"
    So are those starting with HTTP_

  3. #53
    I solve practical problems. bronze trophy
    Michael Morris's Avatar
    Join Date
    Jan 2008
    Location
    Knoxville TN
    Posts
    2,053
    Mentioned
    66 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by kyberfabrikken View Post
    So are those starting with HTTP_
    No, you're wrong. They are set by the client, but they aren't custom. The meaning of HTTP_USER_AGENT might be under the client's control, but the HTTP protocol defines how that variable should be used.

    I said ... "Any header starting with "HTTP_X_" is custom and setable by the client. In the response there's the reverse of "X_" "

    In code terms that's --
    (custom && set_by_client)

    which certainly is not equal to just

    ( set_by_client)


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •