By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
424,963 Members | 920 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 424,963 IT Pros & Developers. It's quick & easy.

Control referring domain, another HTTP_REFERER option?

P: n/a
CG
Hi

I need to implement some low level security that locks a certain page
if the user does come from a particular link (which is hosted on
another domain). I've considered using HTTP_REFERER variable but
seems this is a little shaky as it is not alway set.

Does anyone have a solution that would allow me to restrict. I figure
I can't use a session as it is linked from another domain - same with
cookies.

Any thoughts?
Dec 10 '07 #1
Share this Question
Share on Google+
4 Replies


P: n/a
>I need to implement some low level security that locks a certain page
>if the user does come from a particular link (which is hosted on
another domain). I've considered using HTTP_REFERER variable but
seems this is a little shaky as it is not alway set.
HTTP_REFERER is trivially fakable. Plus, some users can't send it
if their lives depended on it, because ISP proxies may delete it.
Why do you need joke-level security?

Well, you could use a CAPTCHA. Or you could ask for a password and
not check it. Both probably provide better joke-level security.
>Does anyone have a solution that would allow me to restrict.
If you trust the user's browser, you've thrown your security out
the window. And in this situation, only the browser knows where
it last was.
>I figure
I can't use a session as it is linked from another domain - same with
cookies.
Dec 10 '07 #2

P: n/a
CG
On Dec 10, 6:50 pm, gordonb.lz...@burditt.org (Gordon Burditt) wrote:
I need to implement some low level security that locks a certain page
if the user does come from a particular link (which is hosted on
another domain). I've considered using HTTP_REFERER variable but
seems this is a little shaky as it is not alway set.

HTTP_REFERER is trivially fakable. Plus, some users can't send it
if their lives depended on it, because ISP proxies may delete it.
Why do you need joke-level security?

Well, you could use a CAPTCHA. Or you could ask for a password and
not check it. Both probably provide better joke-level security.
Does anyone have a solution that would allow me to restrict.

If you trust the user's browser, you've thrown your security out
the window. And in this situation, only the browser knows where
it last was.
I figure
I can't use a session as it is linked from another domain - same with
cookies.
Does this mean you really can't control it because the only thing that
tracks where the browser has come from is the browser, and this can't
be trusted.

I've thought about setting a cookie on the other domain that my domain
will check (that way I'll know if they've atleast come from there).
Can a cookie be set to be accessible from "any" domain?
Dec 11 '07 #3

P: n/a
CG wrote:
On Dec 10, 6:50 pm, gordonb.lz...@burditt.org (Gordon Burditt) wrote:
>>I need to implement some low level security that locks a certain page
if the user does come from a particular link (which is hosted on
another domain). I've considered using HTTP_REFERER variable but
seems this is a little shaky as it is not alway set.
HTTP_REFERER is trivially fakable. Plus, some users can't send it
if their lives depended on it, because ISP proxies may delete it.
Why do you need joke-level security?

Well, you could use a CAPTCHA. Or you could ask for a password and
not check it. Both probably provide better joke-level security.
>>Does anyone have a solution that would allow me to restrict.
If you trust the user's browser, you've thrown your security out
the window. And in this situation, only the browser knows where
it last was.
>>I figure
I can't use a session as it is linked from another domain - same with
cookies.

Does this mean you really can't control it because the only thing that
tracks where the browser has come from is the browser, and this can't
be trusted.

I've thought about setting a cookie on the other domain that my domain
will check (that way I'll know if they've atleast come from there).
Can a cookie be set to be accessible from "any" domain?
No. Cookies can only be accessed from the domain creating the cookie.
Anything else would be a huge security concern. Can you imagine a rogue
site getting all of the cookies on your system? Shudder!

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

Dec 11 '07 #4

P: n/a
>I need to implement some low level security that locks a certain page
>if the user does come from a particular link (which is hosted on
another domain). I've considered using HTTP_REFERER variable but
seems this is a little shaky as it is not alway set.

HTTP_REFERER is trivially fakable. Plus, some users can't send it
if their lives depended on it, because ISP proxies may delete it.
Why do you need joke-level security?
Step back from the problem a little. Specifically WHAT problem are
you attempting to solve? Deep linking by Google? Too much traffic
to your site? Links from fark.com? Spammers abusing your feedback
page?

If you have gotten to the point of seriously considering handing
out ID cards to alligators to limit them to ONE bite of your ass
each, it's time to take a step back and realize that the original
problem was to drain the swamp.
>Well, you could use a CAPTCHA. Or you could ask for a password and
not check it. Both probably provide better joke-level security.
>Does anyone have a solution that would allow me to restrict.

If you trust the user's browser, you've thrown your security out
the window. And in this situation, only the browser knows where
it last was.
>I figure
I can't use a session as it is linked from another domain - same with
cookies.

Does this mean you really can't control it because the only thing that
tracks where the browser has come from is the browser, and this can't
be trusted.
Essentially, yes. If the two web servers in different domains are
under common administrative control (meaning, among other things,
that the same programmer could arrange changes on both of them),
so they could share a database, the referring web server could leave
a note that the referred web server could look at to see if the
same browser hit the referring page recently.
>I've thought about setting a cookie on the other domain that my domain
will check (that way I'll know if they've atleast come from there).
Cookies are designed not to work that way. Users need some privacy
left. And you (your web site) couldn't put anything (e.g. "remember
my login" cookies) into a cookie safely if every other web site the
user visits (including the evil ones) can see it (and try to hack
it).
>Can a cookie be set to be accessible from "any" domain?
No. And if it could, chances are everyone would ban them, and you'd
have about a gigabyte of them from doubleclick.net alone.
Dec 11 '07 #5

This discussion thread is closed

Replies have been disabled for this discussion.