HTTP_WEFERER
Eric Eisenhart
eric at eisenhart.com
Tue Oct 22 12:06:18 PDT 2002
On Tue, Oct 22, 2002 at 01:47:02PM -0500, Warren Raquel wrote:
> I have a LAMP site that uses HTTP_REFERER as part of the security. It turns
> out that personal firewalls like Norton Personal Firewall and ZoneAlarm
> (regular/pro) register HTTP_WEFERER and not HTTP_REFERER and the value is
> something like 'EXCAXZOWCONEUQZAAFXISHJEXXIMQZUIV'. I did a google search
> and the information I found was on 2 pages and was very much lacking.
> Anyone else run into this or know where I can find more information?
HTTP_REFERER != security.
HTTP_REFERER is easy enough to fake if you need to (anything at all that the
users sends you is) and has a risk of showing up in the access logs of other
sites. Heck, some sites have access logs that are public. (or summaries
that would include that kind of information...) -- just do a google search
for "http://www.yoursite.here/your_app/" and find those logs if they're
there.
I've never seen that specific behavior that you're talking about, but it's
not uncommon for proxy servers to clobber HTTP_REFERER in various ways.
I'd suggest a session variable via a cookie or a real login.
(or if you're trying to implement "security" of the sort that an application
like a web-counter or something needs to be sure other sites aren't linking
to your counter, just check for the referer; if it's there and it's wrong,
deny, if it's correct or not present, allow.)
--
Eric Eisenhart eric-dot-sig at eisenhart.com
Perl, SQL, Linux and Web ^ IRC: Freiheit at freenode
Coder, Sysadmin and geek /e\ AIM: falsch freiheit
http://eric.eisenhart.com/ --- ICQ: 48217244
More information about the talk
mailing list