Hello Nitsan and Andrew, Am 2008-06-16 13:20:14, schrieb Andrew Ballard: > On Mon, Jun 16, 2008 at 1:01 PM, Nitsan Bin-Nun <nitsanbn@xxxxxxxxx> wrote: > > I think you can handle this with 2 pages, the first is checking whether the > > user is permitted to upload or not and if so passing him to the upload form > > with a simple (bool) $_SESSION variable which indicates his permissions. > > If you will try to access the second page and the $_SESS variable won't > > exist it will throw you back to page 1 to validate your permissions. > > > > Am I missing something? (its pretty simple..) > > > > HTH > > Yes, it's missing something. There is nothing in this approach to > prevent the remote client from attempting to access the second page > directly. Even if they do not have the valid $_SESSION variable set, > the server will still receive the entire uploaded content before > passing control to the PHP script to validate permissions. In a DoS > attack, the attacker doesn't care whether the request is actually > allowed; only that resources were consumed in handling the request. > It's still the "chicken and egg" problem already described in this > thread. OK I was thinking about it but IF a $UPLOADER go to http://domain/index.php and then click the link http://domain/mirror_admin.php which set a cookie and then the $UPLOADER must click a link where he/she get the page http://domain/mirror_upload.php before the page is displayed, PHP could check the cookie right? If the cookie is valid, it show the Form, if not the potential Uploader get a long nose. Thanks, Greetings and nice Day/Evening Michelle Konzack Systemadministrator 24V Electronic Engineer Tamay Dogan Network Debian GNU/Linux Consultant -- Linux-User #280138 with the Linux Counter, http://counter.li.org/ ##################### Debian GNU/Linux Consultant ##################### Michelle Konzack Apt. 917 ICQ #328449886 +49/177/9351947 50, rue de Soultz MSN LinuxMichi +33/6/61925193 67100 Strasbourg/France IRC #Debian (irc.icq.com)
<<attachment: signature.pgp>>