...

View Full Version : http_referer, blank?



Rune Carlsen
05-30-2004, 11:09 AM
Hi.

Could there be times where http_referer is blank, due to some firewall issues or other things?

Rune

brothercake
05-30-2004, 11:45 AM
Some firewalls / proxies / browsers are configured not to send referer information. I'm not sending any now, by choice.

Therefore referer information is not reliable. If you need to validate a form consider used session-based validation instead.

Rune Carlsen
05-30-2004, 01:43 PM
Thanks for the info.

The thing is that I have a webservice that talks to another websevice, without any problems. The thing is that I want to check whether the initiating client is requesting my webserivce from a "accepted domain". We don't want to implement any authentication at server level. Any suggestions?

Rune

liorean
05-30-2004, 07:00 PM
Well, you can't really rely on any data sent by the client over HTTP if you're not using some type of authentication (not necessarily HTTP Auth).

Referer is often blank from within larger networks because they tunnel through a corporate proxy. It may be blocked by some anonymisers, ad blockers or local proxies; or even spyware removal and antivirus programs. There are also proxies that fake the referer in an effort to be able to hotlink images from hosts like geocities, that have hotlinking prevention scripts.


However, there is a certain reliability among the general web client population. You can almost always rely on the referer field, in the cases it is present, to be the actual referring page. This means that if you want to do something similar to hotlink prevention but for your webservice, you can check the referer field and let through requests where it is either blank or an "acceptable domain". It's not as exclusive as what you want, but it's at least ~100% inclusive of all your possible requests from within an "acceptable domain".

Rune Carlsen
05-30-2004, 07:37 PM
Thanks for all the information, pretty useful for me.

The whole point about this webserive, is to avoid authentication, as they are logged into another system, on another server system. The webservices are providing authentication.

Rune

Code Wizard
06-09-2004, 11:25 PM
Referer is often blank from within larger networks because they tunnel through a corporate proxy. It may be blocked by some anonymisers, ad blockers or local proxies; or even spyware removal and antivirus programs. There are also proxies that fake the referer in an effort to be able to hotlink images from hosts like geocities, that have hotlinking prevention scripts.




Hotlink prevention scripts...err...altough a little offtopic,what are these ...??

liorean
06-09-2004, 11:54 PM
Hotlink prevention scripts...err...altough a little offtopic,what are these ...??Hotlinking is the linking of a resource, such as an image, that resides on another server, thus "stealing" their bandwidth by not hosting it yourself (which would likely be a copyright infringement, or at least an infringement of the moral right of a content creator to be acknowledged as the creator of his/her work).

Hotlinking prevention is to take meassures against this, such as not allowing access to the resource if your Referer header is different from one of the allowed values, or to redirect to another resource in such cases.

scroots
06-12-2004, 11:02 PM
produce an alogoritham to make a number, based on some fixed varaibles tiem and date etc. Then the legitimate linkers have the script to dynamically write out a valid link e.g. www.mysite.com/index.php?id=159864 Then from this your server could run a similair script to be able to calcualte the range of valid Id's (give or taker 5 or ten minutes) and act accordingly.

Lets say we where to take the time (23:11) we could divide the first part by the second (23/11) then add some stuff to it e.g. multriply/divide or add a digit to to the end, e.g. the date so you could get 21216 as an ID.

Having the server running a sdimilair script it could calcualte a list of valid ID's as it would have the same information (add, multiply divide factors) and then it could all refers accordingly.

This will keep unauthorised linkers out until the crack tyou algoritham.

scroots



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum