UBB.threads PHP Forum Software Community Forums UBB.threads 6 Version 6 Support Is INFOPOP is collecting data from users' browser's history

Dave,

I just wanted to say thanks. This helped me to make sense of some problems I have had.

Swamp,

Infopop is not "farming data" from the boards. It's not like data is being gathered and sent back to some secret Infopop base, where they correlate all the data, and then sell it to someone.

In the normal course of the functions of the boards, you have to come from one page to get to another. If, for instance, you saved a 'reply' page, and then spoofed some of the info in that page's code, you could possibly pretend to be someone else, and make a post in their name. But with HTTP_REFERER being checked, the forum script has a way of verifying that you are who you claim to be.

For example, you had to login when you arrived. (Or you have a permanent cookie, and don't have to log in.) In either case, there was a point where you entered the board. Then you went from one page to another, to another, etc. Now, if someone were to just drop a reply to a post, in your name, in out of the blue... The script would not recognize it's validity. Because "you", (the fake you), did not come from the correct page. If "you" had come from the correct previous page, and the correct previous page before that, then you would have no problem. But to just spoof a form, and drop it in cold, will get "you" nowhere.

So, in this case, yes, the forum could simply read your cookie, and see that you are you, and let you make the reply. But, I have already seen cookies spoofed. If someone can spoof a form, they can spoof a cookie. Having that HTTP_REFERER as a backup, extra security step, only makes sense.