I want to make an application that only registered users of my site (don't worry it's will be free) allowed to use, so I thought to make something like that:

1. Make a page that receive the username and password in the URL (GET variable in PHP) and return "registered" or "unregistered" (only one word without HTML etc.).

2. My application will request that page any time the user want to make specified action and depending on the response the application will know if the user is registered or not.

The question is:
Can anyone fake the http response?

What kind of application? A client side application? Which language?

I guess the user could change the IP in his DNS cache, and make his computer request his own host instead of yours.

Anyway, can you give some more details about the application?

A client side application, I'm still in the draft stage but I think I'll make it in Visual Basic or Flash with Action Script.

The application just make some rendering actions with images.


I guess the user could change the IP in his DNS cache, and make his computer request his own host instead of yours.

can you expand about that or give me a link to read?
according to that I cant make what I want...

I don't have any documents or links on hand, but here's a quick example:

On Windows you could do this:

Open:
C:\WINDOWS\system32\drivers\etc\hosts

And add:

123.123.123.123 www.your-host.com

... to the list. (Where 123.123.123.123 is the hacker's IP)

Now when your computer makes an HTTP request to this domain, it'll use the new IP address instead, of the real one.

BUT, if the hacker would want to do this, he'd have to know the URL you're using in your script, and he'd also have to know the response your server returns. I'm sure there are ways to figure this out, but I don't know any.

Anyway, I still think it's not very likely that someone would actually do that. But note that the program would depend on your server. If it was down, the program would not work on the user's computer.

And another thought, perhaps it's more secure if you use your server's IP address instead of the domain, because I don't seem to be able to "rewrite" IP addresses like in the example above.

I don't have any documents or links on hand, but here's a quick example:

On Windows you could do this:

Open:
C:\WINDOWS\system32\drivers\etc\hosts

And add:

123.123.123.123 www.your-host.com

... to the list. (Where 123.123.123.123 is the hacker's IP)

Now when your computer makes an HTTP request to this domain, it'll use the new IP address instead, of the real one.

Thanks for the info

BUT, if the hacker would want to do this, he'd have to know the URL you're using in your script, and he'd also have to know the response your server returns. I'm sure there are ways to figure this out, but I don't know any.

It's impossible to completely hide the url because there are many programs to trace web activity but maybe instead of one word in the response I can make an encoded passphrase (each user will have different passphrase) that the program will decode, something like that will be harder to hack.

Anyway, I still think it's not very likely that someone would actually do that. But note that the program would depend on your server. If it was down, the program would not work on the user's computer.

And another thought, perhaps it's more secure if you use your server's IP address instead of the domain, because I don't seem to be able to "rewrite" IP addresses like in the example above.


I know that the program will be depended on my server but I'm hope to acquire a good and reliable server, and anyway I must use the domain because the IP may change... the domain not.

I don't have any documents or links on hand, but here's a quick example:

On Windows you could do this:

Open:
C:\WINDOWS\system32\drivers\etc\hosts

And add:

123.123.123.123 www.your-host.com

... to the list. (Where 123.123.123.123 is the hacker's IP)

Now when your computer makes an HTTP request to this domain, it'll use the new IP address instead, of the real one.

BUT, if the hacker would want to do this, he'd have to know the URL you're using in your script, and he'd also have to know the response your server returns. I'm sure there are ways to figure this out, but I don't know any.

Anyway, I still think it's not very likely that someone would actually do that. But note that the program would depend on your server. If it was down, the program would not work on the user's computer.

And another thought, perhaps it's more secure if you use your server's IP address instead of the domain, because I don't seem to be able to "rewrite" IP addresses like in the example above.


I had the same problem. Thank you.