0

profreehost claims that a '?i=1' url GET param can protect their servers. I wondered how. I did use google before asking question, but all the results was about they are for security and how to remove them (if you have ssh access). I wanted to know the principles and maybe try to implement one for my own (on a vps) site. I guess the answer lies at the behavior of browsers.

Sam
  • 25
  • 1
  • 10

1 Answers1

1

The parameter in itself is not the security mechanism, the security mechanism / browser check is the ability of the browser to store and use a cookie...

The pseudo logic is something along the lines of:

If a cookie is set:

  1. -> assume that only "real browsers" can use cookies and show the page

  2. If no cookie is set:
    -> When URL parameter i is set and greater than 3 show error (assume that a browser that will follow multiple redirects but won't store cookies is not a real browser and/or broken)
    -> ELSE
    --> set the cookie
    --> increment i with 1
    --> return a redirect to URL?i=$i

bob
  • 166
  • 3
  • Thanks, you mean the server will check whether the cookie is set? So when, in your flow, should it do so? Implementing this will result in losing the benefit of CDN, as a CDN should not cache anything with a cookie, right? And what should the cookie contain? creation time, UA, ip? – Sam Oct 04 '21 at 22:20