These forums are CLOSED. Please visit the new forums HERE
HTTP Request Validation |
|
|
Siann Beck
Beauty & Braiiiiinsss!
Join date: 14 Jul 2007
Posts: 140
|
01-20-2008 05:29
Is there a reliable way to ensure an HTTP request has come from LL servers? How easy is it to spoof the request headers?
|
|
Haruki Watanabe
llSLCrash(void);
Join date: 28 Mar 2007
Posts: 434
|
01-20-2008 05:55
It's pretty easy to spoof headers with a php-script...
But then again, you're the one making tha request, so if you enter the correct URL, you can be pretty sure that the response comes from the right server... Unless someone hacked into the SL-Servers and hijacked their URL... |
|
Siann Beck
Beauty & Braiiiiinsss!
Join date: 14 Jul 2007
Posts: 140
|
01-20-2008 06:17
Yeah, the setup I have is pretty secure -- the URL exists only in a no-mod script, and I've never even publicized the domain name, so the chances of anyone even getting the URL to make a request are slim. Of course, if someone did get it, all they would have to do is write a script in SL to make the request, so even checking that the request comes from LL servers would be no protection. Oh well.
It sure would be nice to have a MD5 function in LSL! Edit: Erm, nevermind. How on earth did I overlook that all this time?! Edit 2: OK, no more pre-coffee programming for me. Not only did I know about the function, I've used it before. : igh::CODE
|
|
Haruki Watanabe
llSLCrash(void);
Join date: 28 Mar 2007
Posts: 434
|
01-20-2008 07:00
Lmao!
|
|
Hewee Zetkin
Registered User
Join date: 20 Jul 2006
Posts: 2,702
|
01-20-2008 12:34
The headers are pretty easy to spoof, but there is also a published list of IP ranges for LL's servers. If a connection comes from there AND has the headers, it's a pretty good bet it is from LSL code. The authentication hash is still a good idea though, if any of the communications is critical.
http://wiki.secondlife.com/wiki/Simulator_IP_Addresses |
|
Jesse Barnett
500,000 scoville units
Join date: 21 May 2006
Posts: 4,160
|
01-20-2008 13:02
Edit 2: OK, no more pre-coffee programming for me. Not only did I know about the function, I've used it before. : igh::That has always been my rule #1, of course then I do have a rotary burr mill, 18 barr pump driven expresso machine & locally roasted, fresh beans Needless to say, I LOVE coffee!!!!!!!!!!!Rule#2 I found out the hard way. Never, ever try to answer scripting questions while under the influence of pain pills ![]() _____________________
I (who is a she not a he) reserve the right to exercise selective comprehension of the OP's question at anytime.
I am still around, just no longer here. See you across the aisle. Hope LL burns in hell for archiving this forum |
|
Haruki Watanabe
llSLCrash(void);
Join date: 28 Mar 2007
Posts: 434
|
01-20-2008 14:03
I just realized that I actually understood the question wrong... I thought you were asking about HTTP-Requests sent _into_ SL no the ones sent _from_ SL to a webserver...
Adding a hash-value might be a pretty good idea... ... and btw - I had lots of coffee already when I replied... it's not _always_ helpful ![]() My config: Server: Electro-Stove OS: (pre-grinded) Chicco d'Oro Processor: Italian Espresso-Machine (one of these where you put the water in the bottom, the coffee in the middle and put it directly on your stove - blubbers when task is completed Average input/output: too much |