HTTP_WEFERER

Warren Raquel warquel at hotmail.com
Tue Oct 22 12:14:55 PDT 2002 

I don't rely on HTTP_REFERER, it's just one of a few different safeguards. 
All information is checked against a database and session cookies anyway, I 
just use HTTP_REFERER to prevent direct access to some pages from offsite 
(i.e. only refered to from specific pages within the site) to reduce some 
headaches and that's after checking credentials. I'm just wondering why I 
can't find more information on it on the web. :)

Warren Raquel MCP CCNA

- Just another geek.





>From: Eric Eisenhart <eric at eisenhart.com>
>Reply-To: <talk at nblug.org>
>To: talk at nblug.org
>Subject: Re: HTTP_WEFERER
>Date: Tue, 22 Oct 2002 12:06:18 -0700
>
>On Tue, Oct 22, 2002 at 01:47:02PM -0500, Warren Raquel wrote:
> > I have a LAMP site that uses HTTP_REFERER as part of the security. It 
>turns
> > out that personal firewalls like Norton Personal Firewall and ZoneAlarm
> > (regular/pro) register HTTP_WEFERER and not HTTP_REFERER and the value 
>is
> > something like 'EXCAXZOWCONEUQZAAFXISHJEXXIMQZUIV'. I did a google 
>search
> > and the information I found was on 2 pages and was very much lacking.
> > Anyone else run into this or know where I can find more information?
>
>HTTP_REFERER != security.
>
>HTTP_REFERER is easy enough to fake if you need to (anything at all that 
>the
>users sends you is) and has a risk of showing up in the access logs of 
>other
>sites.  Heck, some sites have access logs that are public.  (or summaries
>that would include that kind of information...) -- just do a google search
>for "http://www.yoursite.here/your_app/" and find those logs if they're
>there.
>
>I've never seen that specific behavior that you're talking about, but it's
>not uncommon for proxy servers to clobber HTTP_REFERER in various ways.
>
>I'd suggest a session variable via a cookie or a real login.
>
>(or if you're trying to implement "security" of the sort that an 
>application
>like a web-counter or something needs to be sure other sites aren't linking
>to your counter, just check for the referer; if it's there and it's wrong,
>deny, if it's correct or not present, allow.)
>--
>Eric Eisenhart                                  eric-dot-sig at eisenhart.com
>Perl, SQL, Linux and Web            ^               IRC: Freiheit at freenode
>Coder, Sysadmin and geek           /e\                AIM: falsch freiheit
>http://eric.eisenhart.com/         ---                       ICQ: 48217244


_________________________________________________________________
Protect your PC - get McAfee.com VirusScan Online 
http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963

More information about the talk mailing list