• From: Bochum
  • Registered: 2005-07-13
  • Posts: 28

Topic: Why redirect? Why HTTP_REFERER?

Hello,

first: this post is not flame at all. I'm just curious.

I was thinking about web forum software in general
and it really seems to me that the best way for a web
forum is to use cookies. Because if you'd use hidden
fields, then you'd have to change every link into a button.
And another alternative, the URL: if you'd put the auth.
token into the URL, then you can't make bookmarks,
the URL also looks ugly and you can't send it to others.

So cookies are the way to go.

But why does PunBB shows a redirection page after
each action? If it's for setting cookies, then why can't
it just send the cookie-headers while displaying the next page?

And another question is: why HTTP_REFERER is needed
at all in PunBB. Since it is forgeable, as most here know.
What is it's purpose?

Thanks
Alex

http://preferans.de/ - russian card game

afarber's Website

2 Reply by Jansson (edited by Jansson 2006-05-21 22:10)

  • Jansson
  • Former PunBB Developer
  • Offline
  • From: Sweden
  • Registered: 2003-01-06
  • Posts: 856

Re: Why redirect? Why HTTP_REFERER?

About the redirect page, it's nice to know what's going on. I rather not just be redirected somewhere without knowing it. Sometimes the page redirected too looks identical to the one you were from, so you would not be sure if the form was processed or not.

If you don't want the redirect page to show up, just set the delay time to 0 in the admin and the script will use header('Location: bla bla') instead.

  • Smartys
  • Former PunBB Developer
  • Offline
  • Registered: 2004-04-30
  • Posts: 7,844

Re: Why redirect? Why HTTP_REFERER?

as for HTTP_REFERER, you certainly can fake it. However, the check prevents against tricking an admin/mod into submitting a form on another site that actually submits to the forum

  • From: Bochum
  • Registered: 2005-07-13
  • Posts: 28

Re: Why redirect? Why HTTP_REFERER?

Thank you, the both replies make sense to me!

http://preferans.de/ - russian card game

afarber's Website