HTTP_WEFERER

Tue Oct 22 12:06:18 PDT 2002

On Tue, Oct 22, 2002 at 01:47:02PM -0500, Warren Raquel wrote:
> I have a LAMP site that uses HTTP_REFERER as part of the security. It turns 
> out that personal firewalls like Norton Personal Firewall and ZoneAlarm 
> (regular/pro) register HTTP_WEFERER and not HTTP_REFERER and the value is 
> something like 'EXCAXZOWCONEUQZAAFXISHJEXXIMQZUIV'. I did a google search 
> and the information I found was on 2 pages and was very much lacking. 
> Anyone else run into this or know where I can find more information?

HTTP_REFERER != security.

HTTP_REFERER is easy enough to fake if you need to (anything at all that the
users sends you is) and has a risk of showing up in the access logs of other
sites.  Heck, some sites have access logs that are public.  (or summaries
that would include that kind of information...) -- just do a google search
for "http://www.yoursite.here/your_app/" and find those logs if they're
there.

I've never seen that specific behavior that you're talking about, but it's
not uncommon for proxy servers to clobber HTTP_REFERER in various ways.

I'd suggest a session variable via a cookie or a real login.

(or if you're trying to implement "security" of the sort that an application
like a web-counter or something needs to be sure other sites aren't linking
to your counter, just check for the referer; if it's there and it's wrong,
deny, if it's correct or not present, allow.)
-- 
Eric Eisenhart                                  eric-dot-sig at eisenhart.com
Perl, SQL, Linux and Web            ^               IRC: Freiheit at freenode
Coder, Sysadmin and geek           /e\                AIM: falsch freiheit
http://eric.eisenhart.com/         ---                       ICQ: 48217244