[Typo3] Unable to login to BE due to ZoneAlarmPro - solutions - which is better?

[Thorsten Kahler]

Hi Michael,

relying on HTTP_REFERER (or any other HTTP header data) definitely adds no
reliable security to any application. HTTP headers could easily be faked and
nowadays they're very often filtered by some (misconfigured) security
applications.

I'd suggest to enable doNotCheckReferer in TYPO3 to avoid that kind of
problems. There are situation where a referer check won't harm (e.g.
intranet surroundings), but in the web it's not reliable.

Regards
Thorsten

Michael Baker wrote:
> I recently upgraded ZoneAlarmPro to version 6.0.667.000.
> Since doing so I was unable to login to my typo3 back end.  I kept getting:
> 
> Error: This host address ("michael-baker.com") and the referer host ("")
> mismatches!
> It's possible that the environment variable HTTP_REFERER is not passed
> to the script because of a proxy.
> The site administrator can disable this check in the configuration
> (flag: TYPO3_CONF_VARS[SYS][doNotCheckReferer]).
> 
> I am my administrator and I could not disable this check until I loged
> in :-( .
> 
> Fortunately I found that when I unchecked "Enable Privacy for this
> program" for my webbrowser in the ZoneAlarmPro Control Center, the
> problem went away. :-)   This is available in the ZAP Control Center 
> from Program Control | Firefox | Options | Filter Options
> 
> Then when I logged in to the BE I used Install to add the suggested flag
> to localconf.php. Now I am able to login with Enable Privacy for Firefox
> enabled again.
> 
> Does any one have suggestions as to the pros and cons of either of these
> methods.
> 
> Michael.