Difference between revisions of "Talk:LlHTTPRequest"

From Second Life Wiki
Jump to navigation Jump to search
Line 41: Line 41:
I know that Verisign, Thawt, and RapidSSL are accepted, I know that CACert.org is not.
I know that Verisign, Thawt, and RapidSSL are accepted, I know that CACert.org is not.


== HTTP_VERIFY_CERT behavior clarification ==
== [[HTTP_VERIFY_CERT]] behavior clarification ==


Even when HTTP_VERIFY_CERT is set to FALSE, if the certificate domain name does not match the URL domain you will get a HTTP 499 response.
Even when HTTP_VERIFY_CERT is set to FALSE, if the certificate domain name does not match the URL domain you will get a HTTP 499 response.
{{Unsigned|Apotheus Silverman}}
:That does not sound like a bug. That sounds like a feature. If I tried to access https://www.microsoft.com and the certificate was for hax0r.com I would be thinking there was a man-in-the-middle attack happening. On the flip side if you don't verify the signing authority you can pretend to be anyone you want. I don't know which is worse, the false sense of security or certificate impersonation. -- '''[[User:Strife_Onizuka|Strife]]''' <sup><small>([[User talk:Strife_Onizuka|talk]]|[[Special:Contributions/Strife_Onizuka|contribs]])</small></sup> 13:21, 15 October 2008 (PDT)

Revision as of 12:21, 15 October 2008

I have a Question .. Does POST work ? I couldnt get it working Anylyn Hax 13:34, 28 July 2007 (PDT)


The following headers will be present, usable by scripts running on the HTTP server if the scripting language allows you to access the headers.

An PHP example on how to check to see if the call came from the main grid:

<?php
    if ($_SERVER["HTTP_X_SECONDLIFE_SHARD"] == "Production") {
        echo 'You are using the main grid';
    } else {
        echo 'You are not using the main grid';
    }
?>

Odd format for header names

Why are the headers listed as HTTP_SOME_HEADER_NAME, when the sent headers are in the format Some-Header-Name? Is there some benefit to putting false values that match conventions used by CGI, but aren't actually correct?

  • This is because you are looking at a global property with a lot more information than just headers. Some functions like listed below handle the stripping of the HTTP_ information, but you could also just use substr to remove the HTTP_ Wouter Hobble - 4 July 2008

I am aware that the example given above works, but (assuming that you're using mod_php) this would too, and reflects the real header names:

<?php
$headers = apache_request_headers();
if($headers['X-SecondLife-Shard'] == 'Production')
{
    print "You are on the main grid.";
}
else
{
    print "You are on a preview grid.";
}
?>

Additionally, the current information does not show the capitalisation, thus further confusing the matter. Katharine Berry 09:55, 21 June 2007 (PDT)

Root Certificates

Can someone add a list of root certificates to this article?

I know that Verisign, Thawt, and RapidSSL are accepted, I know that CACert.org is not.

HTTP_VERIFY_CERT behavior clarification

Even when HTTP_VERIFY_CERT is set to FALSE, if the certificate domain name does not match the URL domain you will get a HTTP 499 response. —The preceding unsigned comment was added by Apotheus Silverman

That does not sound like a bug. That sounds like a feature. If I tried to access https://www.microsoft.com and the certificate was for hax0r.com I would be thinking there was a man-in-the-middle attack happening. On the flip side if you don't verify the signing authority you can pretend to be anyone you want. I don't know which is worse, the false sense of security or certificate impersonation. -- Strife (talk|contribs) 13:21, 15 October 2008 (PDT)