GingerNinja wrote:
On a basic level HTTP_REFERER would allow the ASP script to detect
where the HTML page was posted from, you could check the domain. If it
were posted from a HTML page on someones PC there would be no
HTTP_REFERER, unless ofcouse you spoof it. Like I said its a flawed
method. WHICH IS WHY I ASKED FOR HELP!
My point is that, while HTTP_REFERER can be useful, you should try to avoid
depending on it for your application to function.
And your application *security* should never depend on it. If you have
something worth protecting, that is.
What should you use? SSL, for one thing. I know it's expensive, but anything
worthwhile usually is. Besides, you probably don't need to use SSL for the
entire application.
Amazon represents a decent model for web applications that mix secure and
non-secure segments. Most of what you do on their site requires no security.
You get to queue up a transaction -- and quite possibly an enormous one --
while your identity has not been confirmed (and might be entirely unknown),
then commit to it only after logging in through the secure server.
While you are using Amazon's site, your session is tracked, whether you have
logged in or not. That session spans their entire server farm, and in some
circumstances can even be resumed from another computer/browser session.
Do yourself a favor, and trace a visit to Amazon**. Put something in your
shopping cart and proceed to checkout (no need to actually check out). Look
at the progression of redirections and cookies in the process. Consider what
Amazon gets from each request and how that maps to WHAT AMAZON KNOWS. For
example, I typed in
http://amazon.com/ and this was what my browser sent
(cleaned up for display and privacy):
GET
http://amazon.com/ HTTP/1.1
Host: amazon.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.7)
Gecko/20040614 Firefox/0.9
Accept: text/xml,application/xml,application/xhtml+xml,text/html;
q=0.9,text/plain;q=0.8,ima ge/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Cookie: x-main=X6u4uuCVtn pcgyxVkjY4DkoHx qK01gzx;
session-id-time=1095667200 ;
ubid-main=430-2712009-5438522;
session-id=102-3281207-0584588;
order_cache_pri med=1A3DQZB9MCK XADJ;
obidos_path_con tinue-shopping=contin ue-shopping-url=
/subst/home/home.html/102-3281207-0584588&
continue-shopping-post-data=
&continue-shopping-description=gen eric.gateway.de fault
Not much in there about me, right? But it did greet me with "Hello, Dave
Anderson", and there was even an item in my shopping cart from a session I
initiated at a different computer several days ago. Interestingly, each
browser has a unique cookie signature, and each of MY combinations of
cookies maps to the same common "session".
At this point, you're probably wondering what this has to do with security.
Well, it has *everything* to do with security. Amazon understands that a
request is just a bundle of unverified stuff thrown at its servers. It knows
not to trust most of the information in the request -- and that includes
HTTP_REFERER. I would venture a guess that Amazon trusts nothing whatsoever
in this request.
The site uses a token to track the session. It only puts the token into a
relationship of trust when I log in through the SSL segment. Everything
leading up to that point is a staging step. Nothing important happens out
there.
In short, you should act as though the client is free to change anything he
likes in the request. If you are unable to accept that, then you should
reconsider having a web application at all.
**SUGGESTION: Use Mozilla FireFox (
http://www.mozilla.org/products/firefox/)
and the LiveHTTPHeaders extension
(
http://extensionroom.mozdev.org/more...ivehttpheaders) to view the
traffic. The default filter (/$|.html$) helps cut some of the noise at the
beginning, but you can't see the entire picture if you leave it on.
--
Dave Anderson
Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms. Please do not contact
me directly or ask me to contact you directly for assistance. If your
question is worth asking, it's worth posting.
