Quote:
Originally posted by Bad B0y
but http://yoursite.com?id=blah could come from anywhere and referer can be changed to whatever just as easy.
so what would say should be secure?
|
If you are concerned with security - there is not much difference - thats what I was trying to say in the previous post.
http://yoursite.com?id=blah can come from anywhere - TRUE
http://yoursite.com with the appropriate REFERER can ALSO come from anywhere - that is not hard to fake.
If you trust your security issues with the use of HTTP_REFERER (or even assist with that )you are tragically mistaken. It doesnt even help - you earn nothing in that aspect. If someone wants to cheat you - he will do so while you will still get the REFERER - trust cheaters ;)
All HTTP_REFERER gives is - an easy URL to send traffic to coupled with a big and growing inaccuracy
Its like letting grocery customers pay by presenting price tags - without showing the merchendise.. It will all work fine for the honost ones. On the other side, a bad customer can "pick" tags from cheaper products or even sneak some products he never intends to show the price tag for (some would call it stealing ;) ).
IDs are not different in that aspect at all. The difference is not security - its accuracy in tracking and counting - a thing that could not be achieved with non-ID(REFERER-based) CJ scripts.