By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
432,369 Members | 966 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 432,369 IT Pros & Developers. It's quick & easy.

Faked $_SERVER variables

P: n/a
Hello,

I keep reading that $_SERVER['HTTP_REFERER'] can easily be faked. Is
that true of all server variables, or just some of them? In
particular, I'm wondering if server_port can be faked.

I'm interested right now because I want to detect whether the current
page request is using http or https. I realize there are other ways
to ensure the correct delivery of pages over https using directory
management and htaccess, but I also want to understand the server
variables better.

Jun 1 '07 #1
Share this Question
Share on Google+
8 Replies


P: n/a
e_*******@hotmail.com wrote:
I keep reading that $_SERVER['HTTP_REFERER'] can easily be faked. Is
that true of all server variables, or just some of them? In
particular, I'm wondering if server_port can be faked.
Unless your HTTP server runs in more than one port, that's pretty difficult.
I'm interested right now because I want to detect whether the current
page request is using http or https.
Don't. Set up your web server to serve different pages over HTTP and over
HTTPS.
I realize there are other ways to ensure the correct delivery of pages
over https using directory management and htaccess, but I also want to
understand the server variables better.
Server variables are pretty simple: Whenever the web server receives a
request for a PHP page, it spawns (or dispatches) a thread running the PHP
interpreter. That thread will receive the complete URL, any posted data,
and a handful of information. That "handful of information" is the $_SERVER
variables.

--
----------------------------------
Iván Sánchez Ortega -ivansanchez-algarroba-escomposlinux-punto-org-

http://acm.asoc.fi.upm.es/~mr/ ; http://acm.asoc.fi.upm.es/~ivan/
MSN:i_*************************@hotmail.com
Jabber:iv*********@jabber.org ; iv*********@kdetalk.net
Jun 1 '07 #2

P: n/a
On 01.06.2007 16:25 e_*******@hotmail.com wrote:
Hello,

I keep reading that $_SERVER['HTTP_REFERER'] can easily be faked. Is
that true of all server variables, or just some of them? In
particular, I'm wondering if server_port can be faked.

I'm interested right now because I want to detect whether the current
page request is using http or https. I realize there are other ways
to ensure the correct delivery of pages over https using directory
management and htaccess, but I also want to understand the server
variables better.
$_SERVER is mixture of system environment variables (e.g "PATH") and CGI
variables (e.g. "REQUEST_METHOD"), including extracted request headers
(all "HTTP_" ones). The latter group can be easily "faked", because it
contains data that comes from the client, not from your local machine.

--
gosha bine

extended php parser ~ http://code.google.com/p/pihipi
blok ~ http://www.tagarga.com/blok
Jun 1 '07 #3

P: n/a
e_*******@hotmail.com wrote:
Hello,

I keep reading that $_SERVER['HTTP_REFERER'] can easily be faked. Is
that true of all server variables, or just some of them? In
particular, I'm wondering if server_port can be faked.

I'm interested right now because I want to detect whether the current
page request is using http or https. I realize there are other ways
to ensure the correct delivery of pages over https using directory
management and htaccess, but I also want to understand the server
variables better.
No, the port can't be faked. It's not sent by the browser.

You can also check $_SERVER['HTTPS']. It's either set to 'on' if the
user is using https, or empty if he's not.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================
Jun 1 '07 #4

P: n/a
Iván Sánchez Ortega wrote:
e_*******@hotmail.com wrote:
>I keep reading that $_SERVER['HTTP_REFERER'] can easily be faked. Is
that true of all server variables, or just some of them? In
particular, I'm wondering if server_port can be faked.

Unless your HTTP server runs in more than one port, that's pretty difficult.
>I'm interested right now because I want to detect whether the current
page request is using http or https.

Don't. Set up your web server to serve different pages over HTTP and over
HTTPS.
Why would you ever do that? There's no reason why pages which don't
require security can't still be served over https.
>I realize there are other ways to ensure the correct delivery of pages
over https using directory management and htaccess, but I also want to
understand the server variables better.

Server variables are pretty simple: Whenever the web server receives a
request for a PHP page, it spawns (or dispatches) a thread running the PHP
interpreter. That thread will receive the complete URL, any posted data,
and a handful of information. That "handful of information" is the $_SERVER
variables.
Some $_SERVER variables (i.e. HTTP_REFER, HTTP_USER_AGENT) come from the
user. Others (i.e. PATH, SERVER_NAME) are generated by the server.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================
Jun 1 '07 #5

P: n/a
On Jun 1, 7:55 am, Jerry Stuckle <jstuck...@attglobal.netwrote:
Iván Sánchez Ortega wrote:
e_matt...@hotmail.com wrote:
I keep reading that $_SERVER['HTTP_REFERER'] can easily be faked. Is
that true of all server variables, or just some of them? In
particular, I'm wondering if server_port can be faked.
Unless your HTTP server runs in more than one port, that's pretty difficult.
I'm interested right now because I want to detect whether the current
page request is using http or https.
Don't. Set up your web server to serve different pages over HTTP and over
HTTPS.

Why would you ever do that? There's no reason why pages which don't
require security can't still be served over https.
There's no harm done serving over https, except I keep reading that
it's more resource-intensive than http. That makes sense, because
encrypting and decrypting seems like more work than simply sending and
receiving. Why have a user browse the whole site over a secure
protocol when they only need to log in over a secure protocol? It's
not a critical issue for my low-volume site, so these are probably
semantics anyway.
>
I realize there are other ways to ensure the correct delivery of pages
over https using directory management and htaccess, but I also want to
understand the server variables better.
Server variables are pretty simple: Whenever the web server receives a
request for a PHP page, it spawns (or dispatches) a thread running the PHP
interpreter. That thread will receive the complete URL, any posted data,
and a handful of information. That "handful of information" is the $_SERVER
variables.

Some $_SERVER variables (i.e. HTTP_REFER, HTTP_USER_AGENT) come from the
user. Others (i.e. PATH, SERVER_NAME) are generated by the server.
Both of these explanations clarify server variables. Thank you. So
do I understand correctly that the http_ variables can be faked
because they come from the user, but other variables like server_name
and php_self are quite reliable because they come from the server?

Jun 2 '07 #6

P: n/a
e_*******@hotmail.com wrote:
On Jun 1, 7:55 am, Jerry Stuckle <jstuck...@attglobal.netwrote:
>Iván Sánchez Ortega wrote:
>> e_matt...@hotmail.com wrote:
I keep reading that $_SERVER['HTTP_REFERER'] can easily be faked. Is
that true of all server variables, or just some of them? In
particular, I'm wondering if server_port can be faked.
Unless your HTTP server runs in more than one port, that's pretty difficult.
I'm interested right now because I want to detect whether the current
page request is using http or https.
Don't. Set up your web server to serve different pages over HTTP and over
HTTPS.
Why would you ever do that? There's no reason why pages which don't
require security can't still be served over https.

There's no harm done serving over https, except I keep reading that
it's more resource-intensive than http. That makes sense, because
encrypting and decrypting seems like more work than simply sending and
receiving. Why have a user browse the whole site over a secure
protocol when they only need to log in over a secure protocol? It's
not a critical issue for my low-volume site, so these are probably
semantics anyway.
Yes, but if you're pushing the limit enough that the difference between
http and https protocols causes your site to fall over, you're going to
die soon, anyway. And most of your users won't be using https unless
required, anyway.

My response was just directed at Ivan's comment that you should serve
different pages to http and https protocols. I see no reason why you
should do that.

>>>I realize there are other ways to ensure the correct delivery of pages
over https using directory management and htaccess, but I also want to
understand the server variables better.
Server variables are pretty simple: Whenever the web server receives a
request for a PHP page, it spawns (or dispatches) a thread running the PHP
interpreter. That thread will receive the complete URL, any posted data,
and a handful of information. That "handful of information" is the $_SERVER
variables.
Some $_SERVER variables (i.e. HTTP_REFER, HTTP_USER_AGENT) come from the
user. Others (i.e. PATH, SERVER_NAME) are generated by the server.

Both of these explanations clarify server variables. Thank you. So
do I understand correctly that the http_ variables can be faked
because they come from the user, but other variables like server_name
and php_self are quite reliable because they come from the server?


--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================
Jun 2 '07 #7

P: n/a
Jerry Stuckle wrote:
My response was just directed at Ivan's comment that you should serve
different pages to http and https protocols. I see no reason why you
should do that.
I meant that, if you have to be really sure that a certain page is served
*only* by https, then the best option IMHO is to configure two virtualhosts
in the webserver; then put the https-only webpage in the https-only
virtualhost.

--
----------------------------------
Iván Sánchez Ortega -ivansanchez-algarroba-escomposlinux-punto-org-

http://acm.asoc.fi.upm.es/~mr/
Proudly running Debian Linux with 2.6.20-1-amd64 kernel, KDE3.5.3, and PHP
5.2.2-2 generating this signature.
Uptime: 04:18:50 up 1 day, 10:21, 3 users, load average: 0.89, 1.78, 2.24

Jun 2 '07 #8

P: n/a
Iván Sánchez Ortega wrote:
Jerry Stuckle wrote:
>My response was just directed at Ivan's comment that you should serve
different pages to http and https protocols. I see no reason why you
should do that.

I meant that, if you have to be really sure that a certain page is served
*only* by https, then the best option IMHO is to configure two virtualhosts
in the webserver; then put the https-only webpage in the https-only
virtualhost.
No, no need at all to create an entire new virtual host. It's quite
easy to check the $_SERVER to see if they're running https, and if not,
redirect them.

Even easier is to just put a rule in your current httpd.conf of
..htaccess file to redirect any non-https request for the page to https.

An additional virtual host is way overkill.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================
Jun 2 '07 #9

This discussion thread is closed

Replies have been disabled for this discussion.