questions regarding referer

[cleansedbb]

I am writing a chat script and wanted to avoid a problem I had with my old cgi chat called "ghosting".

I have the script to where you must login with a phpsessionID and it gets your referer. lately though because of norton etc I am not getting a referer?

other than a referer is there a way to make sure the file is called localy?

i.e.
the site is

http://www.test.com/test.php

the form method is test.php

but if I copy the <form method=

http://www.test.com/test.php>

to a local html on my hard drive and excute through IE i can post messages to the chat.

any insight is appreciated!

 

[namida]

try to check with session, for example only if a person is logged in it has a certain variable such as userName in the _SESSION Variable, so he / she has to log in first. That's if it has some sort of login

Did you try the $_SERVER['HTTP_REFERER'] variable?



Regards,

Namida

 

[DRJ478]

HTTP_REFERER is an optional header that may or may not be sent by the client. It is non deterministic and cannot be trusted since it is easily faked.
A login system should always include a deterministic way to check if the user is authenticated. The session solution appears to be the most common and I would recommend to implement that instead of relying on optional possibly faked information.

 

[cleansedbb]

yes there is a session with a phpsessID assigned. I will make it compare the data in the database with the login.

Thank you both after playing with this I figured I might have to use the sessions.