XOOPS 
Forum
Forum Index General Forums Community Support Modules Support Themes Support Development International Support Module Hack Reviews Theme Designer Talk
  1. Board index / 
  2. XOOPS Community Support forums / 
  3. Q and A 
  4.  / Security 2.0.10 disable HTTP Referer
Register
1
gecko
Security 2.0.10 disable HTTP Referer

  • 2005/5/10 2:06

  • gecko

  • Not too shy to talk

  • Posts: 152

  • Since: 2004/10/11


Hi all,
just looking for some advice hope this is the right place to post.

I have upgraded from 2.0.9.3 to 2.0.10
and of course the http referer that i have disabled with this hack (cause no one can login to site otherwise)is back to the default XOOPS setting.

in includes/functions.php
function xoops_refcheck($docheck=1)
{
   return true;#*#DISABLE_REFERER_CHECK#
   $ref xoops_getenv('HTTP_REFERER');
   if ($docheck == 0) {
      return true;
   }
   if ($ref == '') {
      return false;
   }
   if (strpos($refXOOPS_URL) !== ) {
      return false;
   }

Is this still nesscesary or has the 2.0.10 got a new way to deal with this?
any helpful advice appreciated.
cheers
gecko
2
gecko
Re: Security 2.0.10 disable HTTP Referer

  • 2005/5/11 3:14

  • gecko

  • Not too shy to talk

  • Posts: 152

  • Since: 2004/10/11


Anyone??
3
Dave_L
Re: Security 2.0.10 disable HTTP Referer

  • 2005/5/11 3:21

  • Dave_L

  • XOOPS is my life!

  • Posts: 2277

  • Since: 2003/11/7


XOOPS 2.0.10 implements security tokens for forms, which removes much of the need for HTTP_REFERER checking. But most modules haven't been modified yet to make use of the tokens.

For maximum security, HTTP_REFERER checking is still recommended. However, the decision on whether to "hack it out" is yours.
4
gecko
Re: Security 2.0.10 disable HTTP Referer

  • 2005/5/11 3:29

  • gecko

  • Not too shy to talk

  • Posts: 152

  • Since: 2004/10/11


Thanks Dave for you quick reply.

How come other huge sites don't have this problem?.amazon, BBC,etc.

i appreciate the security, but it is so unprofessional tripping people up when they are trying to join your community.

This is a serious marketing issue here.

Am i right assuming this will change as we move to XOOPS2.2?

thanks again
Gecko
5
Mithrandir
Re: Security 2.0.10 disable HTTP Referer

Quote:
How come other huge sites don't have this problem?.amazon, BBC,etc.

Since I am not familiar with their logon and CSRF protection, I cannot answer that.

Who knows - maybe those systems actually are quite vulnerable to CSRF attacks.

Anyway, we will continue with the HTTP REFERER check for as long as it is necessary - and until the security token system is implemented in the majority of modules, I don't see it as unnecessary.
6
gecko
Re: Security 2.0.10 disable HTTP Referer

  • 2005/5/11 21:55

  • gecko

  • Not too shy to talk

  • Posts: 152

  • Since: 2004/10/11


Thanks for your reply Mithrandir

now im up to speed.

Gecko

Login

Register now!  |  Lost Password?

Search

Advanced Search

Recent Posts

Who's Online

249 user(s) are online (136 user(s) are browsing Support Forums)

Members: 0

Guests: 249

more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits