Well, all it would take is for somebody to write to the headers, and your
security has been defeated. Do you have any control over this other site? If
so, then you can have that site set some variable somewhere that your target
site goes in and reads. For example, it could generate a new GUID, store
this in a database, and then add it to the querystring. The target site can
then read this GUID, compare it to the database, and then clear the
database. If you need to be absolutely guaranteed that the user hasn't
modified the headers somehow, then you have to store something on your end
that the user/attacker can not get to.
--
Chris Jackson
Software Engineer
Microsoft MVP - Windows Client
Windows XP Associate Expert
--
More people read the newsgroups than read my email.
Reply to the newsgroup for a faster response.
(Control-G using Outlook Express)
--
"Aaron" <ku*****@yahoo.com> wrote in message
news:eB**************@TK2MSFTNGP12.phx.gbl...
i would like to make a page thats only accessible from a certain website.
so i did this
if
(HttpContext.Current.Request.UrlReferrer.ToString( ).Trim().StartsWith(http:/
/www.approveddomain.com))
method();//access page
else
accessdenied();
--------------
did i do this right? i know there are programs out there that can spoof
http
referrer would my code still work?
ie.spoofed url
http://www.hacker.com/@http://www.approveddomain.com
i need to make sure my code works 100% of the time.
Thanks
Aaron