SitePoint Sponsor

User Tag List

Results 1 to 9 of 9
  1. #1
    SitePoint Evangelist
    Join Date
    Mar 2005
    Posts
    523
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    $_SERVER['HTTP_REFERER'] help

    Hi Guys

    I have been reading elsewhere in the forum that $_SERVER['HTTP_REFERER']
    is not realiable and secure, does it mean that we should not use it.

    I basically need to make sure that if you want to get into anypage.php
    then you must come from thispage.php and nowhere else.

    Is that ok, or are there alternatives

    Peace
    Niva

  2. #2
    SitePoint Author silver trophybronze trophy

    Join Date
    Nov 2004
    Location
    Ankh-Morpork
    Posts
    12,158
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    It's not reliable, but that doesn't mean you can't use it, only that you can't rely on it.

    Modern browsers allow users to disable the referrer (Referer) header, for reasons of privacy. Also, firewalls and proxies may strip or change this field.

    If you need to make sure that your visitors come to anypage.php from thispage.php, you can make it a requirement that the referrer header be enabled. You will risk losing some visitors, but it may be worth it. Roger Johansson does this when posting comments. If you don't enable the referrer header, you won't be allowed to post comments. That's part of his strategy to minimise comment spam.
    Birnam wood is come to Dunsinane

  3. #3
    SitePoint Evangelist
    Join Date
    Mar 2005
    Posts
    523
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks for replying..

    So there is no way possible to make sure that thispage.php can only be accessed from thatpage.php

    Are there other ideas....


    Niva

  4. #4
    SitePoint Guru aamonkey's Avatar
    Join Date
    Sep 2004
    Location
    kansas
    Posts
    953
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    set a session var on the first page and check for it on the 2nd page.

  5. #5
    SitePoint Evangelist
    Join Date
    Mar 2005
    Posts
    523
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Problem with session is that once it is set I can go to any other page and then access the protect page again.f I unset it at the protected page after it is accessed then if I refresh the protected page then it wil not be set and will follow the necessary errors,,,

    Please help guys
    Niva

  6. #6
    SitePoint Guru aamonkey's Avatar
    Join Date
    Sep 2004
    Location
    kansas
    Posts
    953
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    sessions are really about your only other option. I guess I don't understand why if they legitimately accessed the protected page it would matter if they went to another page and then came back....

  7. #7
    SitePoint Author silver trophybronze trophy

    Join Date
    Nov 2004
    Location
    Ankh-Morpork
    Posts
    12,158
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by nivashni
    So there is no way possible to make sure that thispage.php can only be accessed from thatpage.php
    The referrer header can be spoofed, so there are no guarantees.

    You can generate a unique token in a database, which you pass on to thispage.php (via GET or POST). Then thispage.php can verify the token against the valid tokens in the database to see if the request is legitimate or not.
    Birnam wood is come to Dunsinane

  8. #8
    SitePoint Evangelist spinmaster's Avatar
    Join Date
    Mar 2005
    Posts
    456
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by AutisticCuckoo
    You can generate a unique token in a database, which you pass on to thispage.php (via GET or POST). Then thispage.php can verify the token against the valid tokens in the database to see if the request is legitimate or not.
    That's most probably the best solution..otherwise I would stick with sessions.

  9. #9
    SitePoint Addict
    Join Date
    Oct 2004
    Location
    Brooklyn, NY
    Posts
    359
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yes, use sessions or pass a token, as others have suggested.

    This is exactly the type of situation where Referer is useless. This is sent by the client, and an attacker knows exactly what you expect it to be. Therefore, it offers zero protection. I try to emphasize this by pointing out that a better protection is to make an attacker choose between heads and tails. At least an attacker will only guess that right about half the time instead of every time.
    Chris Shiflett
    http://shiflett.org/


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •