Faked $_SERVER variables

e_*******@hotmail.com wrote:

Hello,

I keep reading that $_SERVER['HTTP_REFERER'] can easily be faked. Is
that true of all server variables, or just some of them? In
particular, I'm wondering if server_port can be faked.

I'm interested right now because I want to detect whether the current
page request is using http or https. I realize there are other ways
to ensure the correct delivery of pages over https using directory
management and htaccess, but I also want to understand the server
variables better.

No, the port can't be faked. It's not sent by the browser.

You can also check $_SERVER['HTTPS']. It's either set to 'on' if the
user is using https, or empty if he's not.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

Jun 1 '07 #4

Iván Sánchez Ortega wrote:

e_*******@hotmail.com wrote:

>I keep reading that $_SERVER['HTTP_REFERER'] can easily be faked. Is
that true of all server variables, or just some of them? In
particular, I'm wondering if server_port can be faked.

Unless your HTTP server runs in more than one port, that's pretty difficult.

>I'm interested right now because I want to detect whether the current
page request is using http or https.

Don't. Set up your web server to serve different pages over HTTP and over
HTTPS.

Why would you ever do that? There's no reason why pages which don't
require security can't still be served over https.

>I realize there are other ways to ensure the correct delivery of pages
over https using directory management and htaccess, but I also want to
understand the server variables better.

Server variables are pretty simple: Whenever the web server receives a
request for a PHP page, it spawns (or dispatches) a thread running the PHP
interpreter. That thread will receive the complete URL, any posted data,
and a handful of information. That "handful of information" is the $_SERVER
variables.

Some $_SERVER variables (i.e. HTTP_REFER, HTTP_USER_AGENT) come from the
user. Others (i.e. PATH, SERVER_NAME) are generated by the server.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

Jun 1 '07 #5

e_matthes

On Jun 1, 7:55 am, Jerry Stuckle <jstuck...@attglobal.netwrote:

Iván Sánchez Ortega wrote:
e_matt...@hotmail.com wrote:

I keep reading that $_SERVER['HTTP_REFERER'] can easily be faked. Is
that true of all server variables, or just some of them? In
particular, I'm wondering if server_port can be faked.

Unless your HTTP server runs in more than one port, that's pretty difficult.

I'm interested right now because I want to detect whether the current
page request is using http or https.

Don't. Set up your web server to serve different pages over HTTP and over
HTTPS.

Why would you ever do that? There's no reason why pages which don't
require security can't still be served over https.

There's no harm done serving over https, except I keep reading that
it's more resource-intensive than http. That makes sense, because
encrypting and decrypting seems like more work than simply sending and
receiving. Why have a user browse the whole site over a secure
protocol when they only need to log in over a secure protocol? It's
not a critical issue for my low-volume site, so these are probably
semantics anyway.

>

I realize there are other ways to ensure the correct delivery of pages
over https using directory management and htaccess, but I also want to
understand the server variables better.

Server variables are pretty simple: Whenever the web server receives a
request for a PHP page, it spawns (or dispatches) a thread running the PHP
interpreter. That thread will receive the complete URL, any posted data,
and a handful of information. That "handful of information" is the $_SERVER
variables.

Some $_SERVER variables (i.e. HTTP_REFER, HTTP_USER_AGENT) come from the
user. Others (i.e. PATH, SERVER_NAME) are generated by the server.

Both of these explanations clarify server variables. Thank you. So
do I understand correctly that the http_ variables can be faked
because they come from the user, but other variables like server_name
and php_self are quite reliable because they come from the server?

Jun 2 '07 #6

=?ISO-8859-15?Q?Iv=E1n_S=E1nchez_Ortega?=

e_*******@hotmail.com wrote:

On Jun 1, 7:55 am, Jerry Stuckle <jstuck...@attglobal.netwrote:
>Iván Sánchez Ortega wrote:
>> e_matt...@hotmail.com wrote:
I keep reading that $_SERVER['HTTP_REFERER'] can easily be faked. Is
that true of all server variables, or just some of them? In
particular, I'm wondering if server_port can be faked.
Unless your HTTP server runs in more than one port, that's pretty difficult.
I'm interested right now because I want to detect whether the current
page request is using http or https.
Don't. Set up your web server to serve different pages over HTTP and over
HTTPS.
Why would you ever do that? There's no reason why pages which don't
require security can't still be served over https.

There's no harm done serving over https, except I keep reading that
it's more resource-intensive than http. That makes sense, because
encrypting and decrypting seems like more work than simply sending and
receiving. Why have a user browse the whole site over a secure
protocol when they only need to log in over a secure protocol? It's
not a critical issue for my low-volume site, so these are probably
semantics anyway.

Yes, but if you're pushing the limit enough that the difference between
http and https protocols causes your site to fall over, you're going to
die soon, anyway. And most of your users won't be using https unless
required, anyway.

My response was just directed at Ivan's comment that you should serve
different pages to http and https protocols. I see no reason why you
should do that.

>>>I realize there are other ways to ensure the correct delivery of pages
over https using directory management and htaccess, but I also want to
understand the server variables better.
Server variables are pretty simple: Whenever the web server receives a
request for a PHP page, it spawns (or dispatches) a thread running the PHP
interpreter. That thread will receive the complete URL, any posted data,
and a handful of information. That "handful of information" is the $_SERVER
variables.
Some $_SERVER variables (i.e. HTTP_REFER, HTTP_USER_AGENT) come from the
user. Others (i.e. PATH, SERVER_NAME) are generated by the server.

Both of these explanations clarify server variables. Thank you. So
do I understand correctly that the http_ variables can be faked
because they come from the user, but other variables like server_name
and php_self are quite reliable because they come from the server?

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

Jun 2 '07 #7

Jerry Stuckle wrote:

My response was just directed at Ivan's comment that you should serve
different pages to http and https protocols. I see no reason why you
should do that.

I meant that, if you have to be really sure that a certain page is served
*only* by https, then the best option IMHO is to configure two virtualhosts
in the webserver; then put the https-only webpage in the https-only
virtualhost.

--
----------------------------------
Iván Sánchez Ortega -ivansanchez-algarroba-escomposlinux-punto-org-

http://acm.asoc.fi.upm.es/~mr/
Proudly running Debian Linux with 2.6.20-1-amd64 kernel, KDE3.5.3, and PHP
5.2.2-2 generating this signature.
Uptime: 04:18:50 up 1 day, 10:21, 3 users, load average: 0.89, 1.78, 2.24

Jun 2 '07 #8

Iván Sánchez Ortega wrote:

Jerry Stuckle wrote:

>My response was just directed at Ivan's comment that you should serve
different pages to http and https protocols. I see no reason why you
should do that.

I meant that, if you have to be really sure that a certain page is served
*only* by https, then the best option IMHO is to configure two virtualhosts
in the webserver; then put the https-only webpage in the https-only
virtualhost.

No, no need at all to create an entire new virtual host. It's quite
easy to check the $_SERVER to see if they're running https, and if not,
redirect them.

Even easier is to just put a rule in your current httpd.conf of
..htaccess file to redirect any non-https request for the page to https.

An additional virtual host is way overkill.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

Jun 2 '07 #9

by: Bob | last post by:

Hello all, I'm attempting to use JpGraph (http://www.aditus.nu/jpgraph/index.php) with PHP (4.3.1) and Apache (1.3.26) runnning on WindowsXP. However, I receive the following notice: Notice:...

Sessions, authentication and $_SERVER

by: Stephen Poley | last post by:

I'm trying to understand sessions and authentication. I gathered that the only way of preserving data across script invocations was to use a session. However I note that $_SERVER and $_SERVER...

$_SERVER returns empty value

by: tornado | last post by:

Hi all, I am pretty new to PHP. I was reading PHP manual and trying out the example from 2nd chapter (A simple Tutorial). When i try to print the variable as given in the example it returns...

$_SERVER['HTTPS'] - undocumented feature?

by: Joshua Beall | last post by:

Hi All, I've seen many references to the $_SERVER variable, which is set to the string 'on' when the client is connected via HTTPS rather than regular HTTP. However, I have been unable to find...

Difference between $_SERVER['SCRIPT_NAME'] and $_SERVER['PHP_SELF']

by: Joshua Beall | last post by:

Hi All, What is the difference between $_SERVER and $_SERVER, and which is better to use? According to the CGI 1.1 spec (http://hoohoo.ncsa.uiuc.edu/cgi/env.html), SCRIPT_NAME is not...

$_SERVER['SCRIPT_NAME'] versus $_SERVER['PHP_SELF'] (or other?)

by: Jim Carlock | last post by:

Looking for a way to extract the path from the pfqpn (partially full qualified path name). $sThisServer = $_SERVER; // returns either aquaticcreationsnc.com or www.aquaticcreationsnc.com ...

why do some HTTP headers show up in $_SERVER? Why not $_GET or $_POST ???

by: lawrence k | last post by:

I noticed this odd PHP function in an article about AJAX and Prototype: > http://www.sitepoint.com/article/painless-javascript-prototype/2 > > Prototype adds a custom HTTP header to all its...

$_SERVER variables under IIS6

by: sharadg | last post by:

Why is it that IIS6 does not provide all the $_SERVER variables, otherwise available underApache ? Examples being, SERVER_ADDR, SERVER_PORT ... Is there any way to declare server variables under...

The pound # in $_SERVER variables

by: Jim Carlock | last post by:

(1) test.php?test_key=test_value $_SERVER returns /test/test.php $_SERVER returns /test/test.php?test_key=test+value $_SERVER returns test_key=test+value (2)...

Merging data from multiple Excel files

by: ryjfgjl | last post by:

In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...

Data Management

Migrating Website to Cloud - Emmanuel Katto

by: emmanuelkatto | last post by:

Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel

Navigating the Data Structures and Algorithms (DSA)

by: BarryA | last post by:

What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...

Algorithms / Advanced Math

Looking to do Android software development, any suggestions? Is flutter better?

by: nemocccc | last post by:

hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?

What is ONU?

by: marktang | last post by:

ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...

Changing the language in Windows 10

by: Hystou | last post by:

Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...

Windows Server

The easy way to turn off automatic updates for Windows 10/11

by: Hystou | last post by:

Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...

Windows Server

Discussion: How does Zigbee compare with other wireless protocols in smart home applications?

by: tracyyun | last post by:

Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...