| Re: $referrer = $_SERVER['HTTP_REFERER'] echo [message #181985 is a reply to message #181977] |
Fri, 28 June 2013 21:55   |
Thomas 'PointedEars'
Messages: 701
Registered: October 2010
Karma:
|
Senior Member |
|
|
Christoph Michael Becker wrote:
> Thomas 'PointedEars' Lahn:
>> Christoph Michael Becker wrote:
>>> Thomas 'PointedEars' Lahn wrote:
>>>> Christoph Michael Becker wrote:
>>>> > Thomas 'PointedEars' Lahn wrote:
>>>> > Anyway, it seems the regular expression given in Appendix B of RFC
>>>> > 2396 *seems* to be more permissive than the actual syntax given in
>>>> > Appendix A.
>>>> Appendixes are not normative. Assuming relevance, in which way does it
>>>> seem more permissive?
>>>
>>> The following example passes the regular expression in Appendix B of RFC
>>> 2396, but it is not allowed according to Appendix A (if I'm not
>>> mistaken):
>>>
>>> http://http://example.com
>>
>> You are mistaken.
>>
>> <snipped proof>
>
> Thank you very much for proofing me wrong. :) (I had not though about
> the fact that a segment may be empty.)
The possibility occurred to me only after I went down the “net_path” path as
you probably did, which lead nowhere (in disproving you).
>> [Some day I'll write an automatic grammar resolver. And I should let
>> [prove other people their unfounded statements instead of going to
>> lengths disproving them.]
>
> My apologies for having bothered you.
You have not bothered me. It was an interesting problem to hack, after all.
It was *my* mistake: I should not invite “shifting the burden of proof”
fallacies by doing things like this (but I know you did not intend that).
> Actually I had thought about writing a parser to check it myself, but I
> have only some experience with Coco/R[1] which only processes LL(1)
> grammars. Lex/Yacc would have been more useful in this case.
I have played a bit with JFlex while studying CS. Perhaps this could be an
approach. Thanks.
>>>> > I have not checked RFC 3986 regarding this issue yet.
>>>> >
>>>> >> But I would never check against the HTTP-Referer [sic!] in the first
>>>> >> place. There are much more reliable solutions, like session
>>>> >> variables. See also <https://owasp.org/>.
>>>> > ACK. OTOH I have some concerns regarding cookies (I do not "like" to
>>>> > propagate session IDs as a GET parameter) due to the European cookie
>>>> > law(s).
>>>> Directive 95/46/EC does not apply here.
>>> I was referring to directive 2009/136/EC, which *might* apply.
>>
>> How?
(See? I did it :))
> Article 2 of the directive[2] §5 states:
>
> | Article 5(3) shall be replaced by the following:
> |
> | ‘3. Member States shall ensure that the storing of information, or
> | the gaining of access to information already stored, in the terminal
> | equipment of a subscriber or user is only allowed on condition that
> | the subscriber or user concerned has given his or her consent, having
> | been provided with clear and comprehensive information, in accordance
> | with Directive 95/46/EC, inter alia, about the purposes of the
^^^^^^^^^^^^^^^^^^
> | processing. This shall not prevent any technical storage or access
> | for the sole purpose of carrying out the transmission of a
> | communication over an electronic communications net work, or as
> | strictly necessary in order for the provider of an information
> | society service explicitly requested by the sub scriber or user to
> | provide the service.’;
>
> I assume that this concerns all kinds of HTTP cookies. In the given
> case the cookie is probably not covered by the second sentence.
I think the *session* cookie *is* covered there. It is stored and used only
for making sure that the user is still in the same session. Also, there is
this (unreferenced) statement:
,-<http://en.wikipedia.org/wiki/HTTP_cookie#EU_Cookie_Law>
|
| In June 2012, European data protection authorities adopted an opinion
| which clarifies that some cookie users might be exempt from the
| requirement to gain consent:
|
| - Some cookies can be exempted from informed consent under certain
| conditions if they are not used for additional purposes. These cookies
| include cookies used to keep track of a user’s input when filling online
| forms or as a shopping cart.
Subsequent paragraphs describe and reference the negative reaction to the
“cookie law”. I also remember to have seen at the time, as a negative
reaction, a series of ridiculous popups representing what would need to
happen if that Directive was taken seriously.
> However, IANAL.
>
> [1] <http://www.ssw.uni-linz.ac.at/coco/>
> [2]
> < http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2009:337:0011:00 36:en:PDF>
IANAL either, and this discussion about layman interpretations of legalese
is probably leading nowhere except perhaps “reasonable doubt”.
However, AIUI Directive 95/46/EC *referred there* explicitly excludes
*session* cookies as it mandates:
< http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:H TML>
| Article 2
| Definitions
| For the purposes of this Directive:
| (a) 'personal data' shall mean any information relating to an identified
| or identifiable natural person ('data subject'); an identifiable person is
| one who can be identified, directly or indirectly, in particular by
| reference to an identification number or to one or more factors specific
| to his physical, physiological, mental, economic, cultural or social
| identity;
| […]
|
| Article 3
| Scope
| 1. This Directive shall apply to the processing of personal data wholly or
| partly by automatic means, and to the processing otherwise than by
| automatic means of personal data which form part of a filing system or are
| intended to form part of a filing system.
IMHO it excludes session cookies because they are not “information relating
to an identified or identifiable natural person”. At most you can identify
this way an HTTP client running on a computer that one individual *or more*
(say, a family household or office people) are using.
That said, an EU “directive is a legislative act of the European Union,[1]
which requires member states to achieve a particular result without
dictating the means of achieving that result.” (Wikipedia)
If you think about it: Is is likely that all those companies located in the
EU that use PHP sessions in their Web application are in violation of the
law? Why have they continued doing business and never ever anyone has sued
them?
I think I understand at least a bit of legalese; there is /de jure/ and /de
facto/. While /de jure/ it *might* be necessary to ask the user explicitly
before setting a session cookie, /de facto/ it is the user who defined in
their browser settings to accept session cookies or to be asked about them
and then confirms that they are set in order to use the application. That
also includes the session cookie set for the PHP session ID.
PointedEars
--
Anyone who slaps a 'this page is best viewed with Browser X' label on
a Web page appears to be yearning for the bad old days, before the Web,
when you had very little chance of reading a document written on another
computer, another word processor, or another network. -- Tim Berners-Lee
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]