473,785 Members | 2,434 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Control referring domain, another HTTP_REFERER option?

CG
Hi

I need to implement some low level security that locks a certain page
if the user does come from a particular link (which is hosted on
another domain). I've considered using HTTP_REFERER variable but
seems this is a little shaky as it is not alway set.

Does anyone have a solution that would allow me to restrict. I figure
I can't use a session as it is linked from another domain - same with
cookies.

Any thoughts?
Dec 10 '07 #1
4 2407
>I need to implement some low level security that locks a certain page
>if the user does come from a particular link (which is hosted on
another domain). I've considered using HTTP_REFERER variable but
seems this is a little shaky as it is not alway set.
HTTP_REFERER is trivially fakable. Plus, some users can't send it
if their lives depended on it, because ISP proxies may delete it.
Why do you need joke-level security?

Well, you could use a CAPTCHA. Or you could ask for a password and
not check it. Both probably provide better joke-level security.
>Does anyone have a solution that would allow me to restrict.
If you trust the user's browser, you've thrown your security out
the window. And in this situation, only the browser knows where
it last was.
>I figure
I can't use a session as it is linked from another domain - same with
cookies.
Dec 10 '07 #2
CG
On Dec 10, 6:50 pm, gordonb.lz...@b urditt.org (Gordon Burditt) wrote:
I need to implement some low level security that locks a certain page
if the user does come from a particular link (which is hosted on
another domain). I've considered using HTTP_REFERER variable but
seems this is a little shaky as it is not alway set.

HTTP_REFERER is trivially fakable. Plus, some users can't send it
if their lives depended on it, because ISP proxies may delete it.
Why do you need joke-level security?

Well, you could use a CAPTCHA. Or you could ask for a password and
not check it. Both probably provide better joke-level security.
Does anyone have a solution that would allow me to restrict.

If you trust the user's browser, you've thrown your security out
the window. And in this situation, only the browser knows where
it last was.
I figure
I can't use a session as it is linked from another domain - same with
cookies.
Does this mean you really can't control it because the only thing that
tracks where the browser has come from is the browser, and this can't
be trusted.

I've thought about setting a cookie on the other domain that my domain
will check (that way I'll know if they've atleast come from there).
Can a cookie be set to be accessible from "any" domain?
Dec 11 '07 #3
CG wrote:
On Dec 10, 6:50 pm, gordonb.lz...@b urditt.org (Gordon Burditt) wrote:
>>I need to implement some low level security that locks a certain page
if the user does come from a particular link (which is hosted on
another domain). I've considered using HTTP_REFERER variable but
seems this is a little shaky as it is not alway set.
HTTP_REFERER is trivially fakable. Plus, some users can't send it
if their lives depended on it, because ISP proxies may delete it.
Why do you need joke-level security?

Well, you could use a CAPTCHA. Or you could ask for a password and
not check it. Both probably provide better joke-level security.
>>Does anyone have a solution that would allow me to restrict.
If you trust the user's browser, you've thrown your security out
the window. And in this situation, only the browser knows where
it last was.
>>I figure
I can't use a session as it is linked from another domain - same with
cookies.

Does this mean you really can't control it because the only thing that
tracks where the browser has come from is the browser, and this can't
be trusted.

I've thought about setting a cookie on the other domain that my domain
will check (that way I'll know if they've atleast come from there).
Can a cookie be set to be accessible from "any" domain?
No. Cookies can only be accessed from the domain creating the cookie.
Anything else would be a huge security concern. Can you imagine a rogue
site getting all of the cookies on your system? Shudder!

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attgl obal.net
=============== ===

Dec 11 '07 #4
>I need to implement some low level security that locks a certain page
>if the user does come from a particular link (which is hosted on
another domain). I've considered using HTTP_REFERER variable but
seems this is a little shaky as it is not alway set.

HTTP_REFERER is trivially fakable. Plus, some users can't send it
if their lives depended on it, because ISP proxies may delete it.
Why do you need joke-level security?
Step back from the problem a little. Specifically WHAT problem are
you attempting to solve? Deep linking by Google? Too much traffic
to your site? Links from fark.com? Spammers abusing your feedback
page?

If you have gotten to the point of seriously considering handing
out ID cards to alligators to limit them to ONE bite of your ass
each, it's time to take a step back and realize that the original
problem was to drain the swamp.
>Well, you could use a CAPTCHA. Or you could ask for a password and
not check it. Both probably provide better joke-level security.
>Does anyone have a solution that would allow me to restrict.

If you trust the user's browser, you've thrown your security out
the window. And in this situation, only the browser knows where
it last was.
>I figure
I can't use a session as it is linked from another domain - same with
cookies.

Does this mean you really can't control it because the only thing that
tracks where the browser has come from is the browser, and this can't
be trusted.
Essentially, yes. If the two web servers in different domains are
under common administrative control (meaning, among other things,
that the same programmer could arrange changes on both of them),
so they could share a database, the referring web server could leave
a note that the referred web server could look at to see if the
same browser hit the referring page recently.
>I've thought about setting a cookie on the other domain that my domain
will check (that way I'll know if they've atleast come from there).
Cookies are designed not to work that way. Users need some privacy
left. And you (your web site) couldn't put anything (e.g. "remember
my login" cookies) into a cookie safely if every other web site the
user visits (including the evil ones) can see it (and try to hack
it).
>Can a cookie be set to be accessible from "any" domain?
No. And if it could, chances are everyone would ban them, and you'd
have about a gigabyte of them from doubleclick.net alone.
Dec 11 '07 #5

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics
3
4433
Log In Page that goes back to REFERRING page
by: Steve Macleod | last post by:
Hi, I am using the following code to initialise a session, depending on whether-or-not the users' log in attempt has been successful. if ($session_ok == "TRUE") { //open the session session_start(); //assign user details to session $_SESSION = $user_id; $_SESSION = $user_pass;
PHP
4
9235
Getting the referring url from PHP
by: Daniel Pope | last post by:
Dear All, I'm developping a PH application that needs to know the refering URL (and the IP address) of a php script I mean the URL of a webpage that contains a link towards my php script. As I know the browser knows it but but I couldn't find so far a PHP function able to preform it. Any hint would be greatly appreciated. Daniel
PHP
9
28688
How to redirect based on $_SERVER["HTTP_REFERER"]?
by: deko | last post by:
I have a page that I don't want anyone to be able to link directly to. The page should only be accessed from gatepage.php. I tried this code, but keep getting errors - "header info already sent", or something like that... Am I missing something, or is there a better way to do this? <?php $ref = $_SERVER; //echo $ref; if ( $ref == 'http://www.mydomain.com/gatepage.php' ) {
PHP
2
1518
HTTP_REFERER
by: James | last post by:
I'm using: Request.ServerVariables("HTTP_REFERER") And apparently this isn't "reliable" anymore? As in, some browsers/firewalls don't allow it? A small block of my code is based on knowing what page you were previously on, so this would be a problem. Any ideas? Thanks,
ASP / Active Server Pages
8
1861
HTTP_REFERER not always there
by: tshad | last post by:
Why would HTTP_REFERER not be there in the Page_Load event? I am using it to determine whether a page was called from a particular page. I am doing: sTest = Request.ServerVariables("HTTP_REFERER") if (sTest = "") ORELSE (sTest.SubString(sTest.LastIndexOf("/")+1) <> "job_posting_new2.aspx") then newPosition = new Position
ASP.NET
1
2462
Combining Anonymous and Domain logon
by: Kjell Kristiansson | last post by:
In developing a solution I ran into a problem where I have found no acceptable solution. The problem is combining users with anonymous login and users logged in to a domain in the same .aspx application. Here is some background: - the application will be accessable from the Internet, extranet and intranet. - no logon required but then you get limited information/functionality - if you'r not logged on you will be provided an option to...
ASP.NET
7
2588
URL of Referring html Document
by: Peter | last post by:
Hi there, I am using this code to retrieve the current URL: function selfURL() { $s = empty($_SERVER) ? '' : ($_SERVER == "on") ? "s" : ""; $protocol = strleft(strtolower($_SERVER), "/").$s; $port = ($_SERVER == "80") ? "" : (":".$_SERVER); return
PHP
5
11510
URL of referring/calling page
by: Zeba | last post by:
Hi ! How do I get the URL of the page which has called the current page. Say PageA.aspx calls PageB.aspx. How do I get PageA's url from the Pre_Init function of PageB. I tried something like Request.UrlReferrer.ToString() But it gives me an Object not instantiated error.
C# / C Sharp
8
8993
HTTP_REFERER or alternative
by: mrsmithq | last post by:
I have a page that has this logic in it: //We can call it access.php if (!isset($_SESSION)){ header("Location:index.php"); exit(); } //Here is the index.php echo "<br>" . $_SERVER;
PHP
0
9645
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...
General
0
9480
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
Windows Server
0
10325
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
C / C++
0
10147
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
Online Marketing
1
10091
The easy way to turn off automatic updates for Windows 10/11
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
Windows Server
0
8972
agi2029
AI Job Threat for Devs
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
Career Advice
0
5511
Windows Forms - .Net 8.0
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
Visual Basic .NET
1
4050
transfer the data from one system to another through ip address
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
C# / C Sharp
2
3645
muto222
How to add payments to a PHP MySQL app.
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
PHP

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes
How to Post and Respond on Bytes
How to Promote and Link on Bytes
How to increase your Ranking on Bytes
Become a Recognized Expert on Bytes
Feedback Welcomed! Contact Us