NYCPHP Meetup

[Chris Shiflett]

Joseph Crawford wrote:
> # Make sure the user agent is correct
> $ua_should_be = urldecode ( $parsed_cookie [ 'ua' ]);
> if ( $_SERVER [ 'HTTP_USER_AGENT' ] != $ua_should_be )
> {
>     $identity_validated = false ;
> }
> 
> does that seem redundant to anyone else?

It's not a particularly good example, since an attacker can pretty 
easily determine the format of the cookie string and spoof it.

However, it's meant to illustrate the basic idea of consistency 
checking. Inconsistencies in a client's request are reason for 
suspicion, although legitimate users may send slightly inconsistent 
requests due to HTTP proxies and weird browser behavior (IE sends a 
different Accept header when you reload a page) on occasion. So, make 
sure your "punishment" is mild. :-)

Hope that helps.

Chris

-- 
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/