Page 2 of 2

Posted: Tue Nov 27, 2007 8:17 am
by aaronhall
It depends on how you're using it -- in your case, it sounds like the worst that would happen is denied access for browsers that don't send the header (very few). Just as long as it's not used to grant access by itself, because it's easily changed.

Posted: Tue Nov 27, 2007 8:18 am
by Zoxive
ianhull wrote:Thanks for that Aaron,

Didn't know it was unreliable, it has always been fine for me (strike of luck?) :)
By default most browsers Send the Referrer information, but the user can optionally disable it.

Posted: Tue Nov 27, 2007 11:16 am
by ianhull
thanks guys, didn't know that,

I am thinking of using a encrypted session key which will be generated everytime the form loads.

any thoughts, suggestions?

Thanks in advance

good way to stop people posting from outside your server

Posted: Tue Nov 27, 2007 3:05 pm
by FireElement
This is nice little token code.

I found at this site. http://shiflett.org/articles/cross-site ... -forgeries
Also there is time out one aswel although am not making login area so I will not need that.

Code: Select all

if (!isset($_SESSION['token'])) {
     $_SESSION['token'] = md5(uniqid(rand(), TRUE));
}

if ($_POST['token'] == $_SESSION['token'])
{
     /* Valid Token */
 }
If you use this then there is no real way the user can know your token code and post it.

Posted: Tue Nov 27, 2007 4:08 pm
by ianhull
Thanks fire, that is excellent! :D

Posted: Tue Nov 27, 2007 7:39 pm
by FireElement
ianhull wrote:Thanks fire, that is excellent! :D
No problem!