SitePoint Sponsor

User Tag List

Results 1 to 9 of 9

Thread: Referer Check

  1. #1
    SitePoint Zealot
    Join Date
    Apr 2005
    Posts
    154
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Lightbulb Referer Check

    I discovered a nice example where access to a website is restricted somehow to direct users, and is only allowed if clicked from a page within another domain name, here it is:

    Main Domain: http://www.orange.md/
    If you go to "Orange Text" and click it, you'll be directed to http://www.orangetext.md/

    If you try to access the second address directly, you won't be able to view the content and will be redirected to the main website.

    How is this being done, I assume it has to play with the remote referer, but how?

    Thanks a lot in advance!

  2. #2
    From Italy with love silver trophybronze trophy
    guido2004's Avatar
    Join Date
    Sep 2004
    Posts
    9,496
    Mentioned
    163 Post(s)
    Tagged
    4 Thread(s)
    PHP Code:
    if ($_SERVER['HTTP_REFERER'] != 'xxxxx') exit(); 
    or something like that

  3. #3
    SitePoint Zealot
    Join Date
    Apr 2005
    Posts
    154
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks, goido.

    I've been through this by now and it does sound like a way to do so. But if I want to use it as authentication for instance, then I should probably be aware of the fact that the $_SERVER['HTTP_REFERER'] value is fairly easy to be spoofed. What do you say? Is there a more secure way to deal with this case?

  4. #4
    Non-Member
    Join Date
    Oct 2009
    Posts
    1,852
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    So, just don't use it as authentication

  5. #5
    SitePoint Zealot
    Join Date
    Apr 2005
    Posts
    154
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Shrapnel_N5 View Post
    So, just don't use it as authentication
    Alright.

    To let you more into the idea, I am looking to allow remote domains to download files from a parent website only if authentication is passed. For that, I thought I'd work with the server referer or remote_addr values, both of which can apparently be faked. If someone knows a better and more secure way to do this, please let me know!

  6. #6
    Non-Member
    Join Date
    Oct 2009
    Posts
    1,852
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    wrong.
    remote_addr cannot be faked. and can be used for auth as well

    define, please, more clear, who will download these files and how.
    if you are speaking of servers, not clients, there would be no referer at all.
    there is just no "referring page", so no referer header too.
    but any header can be set manually

  7. #7
    SitePoint Wizard PHPycho's Avatar
    Join Date
    Dec 2005
    Posts
    1,201
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by guido2004 View Post
    PHP Code:
    if ($_SERVER['HTTP_REFERER'] != 'xxxxx') exit(); 
    or something like that
    I think HTTP_REFERER can never be trusted. It can be faked.

  8. #8
    SitePoint Zealot
    Join Date
    Apr 2005
    Posts
    154
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Ideally, I'd like to give access to certain domains to download files to their servers using fopen(). I nope it makes better sense now...

  9. #9
    Non-Member
    Join Date
    Oct 2009
    Posts
    1,852
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    you can check remote_addr then. it is pretty secure
    also you can use apache Basic HTTP Authorisation, and they can use fopen with
    http://user:pass@domain.com


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •