1
gecko
Security 2.0.10 disable HTTP Referer
  • 2005/5/10 2:06

  • gecko

  • Not too shy to talk

  • Posts: 152

  • Since: 2004/10/11


Hi all,
just looking for some advice hope this is the right place to post.

I have upgraded from 2.0.9.3 to 2.0.10
and of course the http referer that i have disabled with this hack (cause no one can login to site otherwise)is back to the default XOOPS setting.

in includes/functions.php
function xoops_refcheck($docheck=1)
{
   return 
true;#*#DISABLE_REFERER_CHECK#
   
$ref xoops_getenv('HTTP_REFERER');
   if (
$docheck == 0) {
      return 
true;
   }
   if (
$ref == '') {
      return 
false;
   }
   if (
strpos($refXOOPS_URL) !== ) {
      return 
false;
   }

Is this still nesscesary or has the 2.0.10 got a new way to deal with this?
any helpful advice appreciated.
cheers
gecko

2
gecko
Re: Security 2.0.10 disable HTTP Referer
  • 2005/5/11 3:14

  • gecko

  • Not too shy to talk

  • Posts: 152

  • Since: 2004/10/11


Anyone??

3
Dave_L
Re: Security 2.0.10 disable HTTP Referer
  • 2005/5/11 3:21

  • Dave_L

  • XOOPS is my life!

  • Posts: 2277

  • Since: 2003/11/7


XOOPS 2.0.10 implements security tokens for forms, which removes much of the need for HTTP_REFERER checking. But most modules haven't been modified yet to make use of the tokens.

For maximum security, HTTP_REFERER checking is still recommended. However, the decision on whether to "hack it out" is yours.

4
gecko
Re: Security 2.0.10 disable HTTP Referer
  • 2005/5/11 3:29

  • gecko

  • Not too shy to talk

  • Posts: 152

  • Since: 2004/10/11


Thanks Dave for you quick reply.

How come other huge sites don't have this problem?.amazon, BBC,etc.

i appreciate the security, but it is so unprofessional tripping people up when they are trying to join your community.

This is a serious marketing issue here.

Am i right assuming this will change as we move to XOOPS2.2?

thanks again
Gecko

5
Mithrandir
Re: Security 2.0.10 disable HTTP Referer

Quote:
How come other huge sites don't have this problem?.amazon, BBC,etc.

Since I am not familiar with their logon and CSRF protection, I cannot answer that.

Who knows - maybe those systems actually are quite vulnerable to CSRF attacks.

Anyway, we will continue with the HTTP REFERER check for as long as it is necessary - and until the security token system is implemented in the majority of modules, I don't see it as unnecessary.

6
gecko
Re: Security 2.0.10 disable HTTP Referer
  • 2005/5/11 21:55

  • gecko

  • Not too shy to talk

  • Posts: 152

  • Since: 2004/10/11


Thanks for your reply Mithrandir

now im up to speed.

Gecko

Login

Who's Online

403 user(s) are online (305 user(s) are browsing Support Forums)


Members: 0


Guests: 403


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits