Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 8 of 8
  1. #1
    New Coder
    Join Date
    May 2004
    Location
    Norway
    Posts
    23
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Question http_referer, blank?

    Hi.

    Could there be times where http_referer is blank, due to some firewall issues or other things?

    Rune

  • #2
    Senior Coder
    Join Date
    Jun 2002
    Location
    near Oswestry
    Posts
    4,508
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Some firewalls / proxies / browsers are configured not to send referer information. I'm not sending any now, by choice.

    Therefore referer information is not reliable. If you need to validate a form consider used session-based validation instead.
    "Why bother with accessibility? ... Because deep down you know that the web is attractive to people who aren't exactly like you." - Joe Clark

  • #3
    New Coder
    Join Date
    May 2004
    Location
    Norway
    Posts
    23
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Thanks for the info.

    The thing is that I have a webservice that talks to another websevice, without any problems. The thing is that I want to check whether the initiating client is requesting my webserivce from a "accepted domain". We don't want to implement any authentication at server level. Any suggestions?

    Rune

  • #4
    Master Coder
    Join Date
    Feb 2003
    Location
    UmeŚ, Sweden
    Posts
    5,575
    Thanks
    0
    Thanked 83 Times in 74 Posts
    Well, you can't really rely on any data sent by the client over HTTP if you're not using some type of authentication (not necessarily HTTP Auth).

    Referer is often blank from within larger networks because they tunnel through a corporate proxy. It may be blocked by some anonymisers, ad blockers or local proxies; or even spyware removal and antivirus programs. There are also proxies that fake the referer in an effort to be able to hotlink images from hosts like geocities, that have hotlinking prevention scripts.


    However, there is a certain reliability among the general web client population. You can almost always rely on the referer field, in the cases it is present, to be the actual referring page. This means that if you want to do something similar to hotlink prevention but for your webservice, you can check the referer field and let through requests where it is either blank or an "acceptable domain". It's not as exclusive as what you want, but it's at least ~100% inclusive of all your possible requests from within an "acceptable domain".
    liorean <[lio@wg]>
    Articles: RegEx evolt wsabstract , Named Arguments
    Useful Threads: JavaScript Docs & Refs, FAQ - HTML & CSS Docs, FAQ - XML Doc & Refs
    Moz: JavaScript DOM Interfaces MSDN: JScript DHTML KDE: KJS KHTML Opera: Standards

  • #5
    New Coder
    Join Date
    May 2004
    Location
    Norway
    Posts
    23
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Thanks for all the information, pretty useful for me.

    The whole point about this webserive, is to avoid authentication, as they are logged into another system, on another server system. The webservices are providing authentication.

    Rune

  • #6
    Regular Coder
    Join Date
    Nov 2003
    Location
    Code Heaven
    Posts
    129
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by liorean
    Referer is often blank from within larger networks because they tunnel through a corporate proxy. It may be blocked by some anonymisers, ad blockers or local proxies; or even spyware removal and antivirus programs. There are also proxies that fake the referer in an effort to be able to hotlink images from hosts like geocities, that have hotlinking prevention scripts.

    Hotlink prevention scripts...err...altough a little offtopic,what are these ...??

  • #7
    Master Coder
    Join Date
    Feb 2003
    Location
    UmeŚ, Sweden
    Posts
    5,575
    Thanks
    0
    Thanked 83 Times in 74 Posts
    Quote Originally Posted by Code Wizard
    Hotlink prevention scripts...err...altough a little offtopic,what are these ...??
    Hotlinking is the linking of a resource, such as an image, that resides on another server, thus "stealing" their bandwidth by not hosting it yourself (which would likely be a copyright infringement, or at least an infringement of the moral right of a content creator to be acknowledged as the creator of his/her work).

    Hotlinking prevention is to take meassures against this, such as not allowing access to the resource if your Referer header is different from one of the allowed values, or to redirect to another resource in such cases.
    liorean <[lio@wg]>
    Articles: RegEx evolt wsabstract , Named Arguments
    Useful Threads: JavaScript Docs & Refs, FAQ - HTML & CSS Docs, FAQ - XML Doc & Refs
    Moz: JavaScript DOM Interfaces MSDN: JScript DHTML KDE: KJS KHTML Opera: Standards

  • #8
    Senior Coder
    Join Date
    Jun 2002
    Location
    UK
    Posts
    1,137
    Thanks
    0
    Thanked 0 Times in 0 Posts
    produce an alogoritham to make a number, based on some fixed varaibles tiem and date etc. Then the legitimate linkers have the script to dynamically write out a valid link e.g. www.mysite.com/index.php?id=159864 Then from this your server could run a similair script to be able to calcualte the range of valid Id's (give or taker 5 or ten minutes) and act accordingly.

    Lets say we where to take the time (23:11) we could divide the first part by the second (23/11) then add some stuff to it e.g. multriply/divide or add a digit to to the end, e.g. the date so you could get 21216 as an ID.

    Having the server running a sdimilair script it could calcualte a list of valid ID's as it would have the same information (add, multiply divide factors) and then it could all refers accordingly.

    This will keep unauthorised linkers out until the crack tyou algoritham.

    scroots
    Spammers next time you spam me consider the implications:
    (1) that you will be persuaded by me(in a legitimate mannor)
    (2)It is worthless to you, when i have finished


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •