1 Topic by kendra (edited by kendra 2005-10-15 02:20)

  • kendra
  • Junior Member
  • Offline
  • Registered: 2005-10-09
  • Posts: 8

Topic: SSL is not a different referrer is it?

Why is it that Punbb considers a secured session (https://) a different referer then insecured (http://)

I dont think that https:// is a different referer.

I found that other applications that that use referers do not include the http:// as part of the referer.

(phpclassifieds for example)
referer1: mysite.com/classifieds
referer2: classifieds.mysite.com

our ecard script does include the www abut has 4 allowed referers

referer1: mysite.com/ecard
referer2: www.mysite.com/ecard
referer3: ecard.mysite.com
referer4: www.ecard.mysite.com


So what about punbb then? is there any way to atleast allow the option to use both http:// and https://?

So we have no choice but to forced https:// , it seems like the only way to assure that a user wont experience the bad-referer error.

<?
$mydefaultport=80; //
$https="$pun_root"; //Secure Page
if($_SERVER['SERVER_PORT'] == $mydefaultport) {
header("Location: " . $https . $_SERVER['REQUEST_URI']);
exit;
}
?>

Okay so this re-directs to https:// if the user somehow lands on the pun with http:// but ideally it would be nice to see it work with both.

Perhaps this can be a future suggestion to add multi-(same domain) referers that will allow https:// aswell as subdomains so

http://mysite.com/punbb/
https://mysite.com/punbb/
http://punbb.mysite.com
https://punbb.mysite.com



Thankies
Kendra

  • From: 127.0.0.1
  • Registered: 2001-11-02
  • Posts: 9,167

Re: SSL is not a different referrer is it?

I just haven't thought of it. Here's a quick fix (for functions.php):

if (!preg_match('#^'.preg_quote(str_replace(array('www.', 'https://'), array('', 'http://'), $pun_config['o_base_url']).'/'.$script, '#').'#i', str_replace(array('www.', 'https://'), array('', 'http://'), (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : ''))))

Not tested, but it should work.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Rickard's Website

3 Reply by kendra (edited by kendra 2005-10-15 10:45)

  • kendra
  • Junior Member
  • Offline
  • Registered: 2005-10-09
  • Posts: 8

Re: SSL is not a different referrer is it?

Rickard wrote:

I just haven't thought of it. Here's a quick fix (for functions.php):

if (!preg_match('#^'.preg_quote(str_replace(array('www.', 'https://'), array('', 'http://'), $pun_config['o_base_url']).'/'.$script, '#').'#i', str_replace(array('www.', 'https://'), array('', 'http://'), (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : ''))))

Not tested, but it should work.

Very clever.. :\  Got it!.

it worked nicely, ssl is becomming more and more popular. its easy to overlook sexpecially if you dont have a cert makes testing it hard ( ~_*)


neways umm oye did I see you at the quickCart forums, well maybe anotha Rickard?


//replaced: /////

function confirm_referrer($script)
{
    global $pun_config, $lang_common;

    if (!preg_match('#^'.preg_quote(str_replace('www.', '', $pun_config['o_base_url']).'/'.$script, '#').'#i', str_replace('www.', '', (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : ''))))
        message($lang_common['Bad referrer']);
}



// With  //

function confirm_referrer($script)
{
    global $pun_config, $lang_common;

    if (!preg_match('#^'.preg_quote(str_replace(array('www.', 'https://'), array('', 'http://'), $pun_config['o_base_url']).'/'.$script, '#').'#i', str_replace(array('www.', 'https://'), array('', 'http://'), (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : ''))))
        message($lang_common['Bad referrer']);
}



~huggies~ tankies
Kendra

  • From: 127.0.0.1
  • Registered: 2001-11-02
  • Posts: 9,167

Re: SSL is not a different referrer is it?

Nah, I don't think that was me. I don't know what quickCart is big_smile

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Rickard's Website