On my site I have an on-line order form which transmits using
a modified version of Formmail.
For security reasons, if a form is submitted with the HTTP_REFERER blank (or not my domain) then access is denied and an error message is returned. I also record details of submissions (successful or otherwise) in an error file. (Some failed submissions arise because the form is not correctly completed).
Examining the Errorfile shows that sometimes customers fill in the
form properly but access is denied them as the HTTP-REFERER is blank.
Here is an example:-
Sunday, October 6, 2002 at 19:41:58
62.252.224.8
cache5-leed.server.ntli.net
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q312461; Hotbar 4.1.4.0; .NET CLR 1.0.3705)
Access was denied and an error message screen was displayed.
The customer then did something to correct the situation and re-submitted his
form successfully:-
Sunday, October 6, 2002 at 19:42:24
http://www.mydomain.co.uk/orderform.html
62.252.224.8
cache5-leed.server.ntli.net
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q312461; Hotbar 4.1.4.0; .NET CLR 1.0.3705)
Note that it took only 26 seconds for the customer to read the error message screen (several lines of text), and do whatever he did to reinstate the HTTP_REFERER.
My question is:-
a) How does it arise that the HTTP_REFERER in the browser
address box can be a blank?
b) What did my customer do to re-instate this in his browser?
Is it something to do with the browser configuration, a firewall, or
anti-virus program?
It is probably a firewall or browser privacy standards. HTTP_REFERER is contained within the browser and you shouldn't ever really rely on it in order to perform an action, at the very least you should have the ability to detect if there is no refererer and use 'not referred' or something similiar instead of erroring out.
As for 're-instating' it, that seems a bit odd...does your error page alter the referer variable with other information onerror? Is a form re-presented to the user that does not contain this check? Maybe the user turned off their firewall in order to process the request (unlikely). It might help to get a little more information...
Feyd - I now learn that there are browsers such as Opera and "privacy tools" such as Webwasher where the user can elect not to transmit the referer URL (why should he wish to do this???) but the user can quickly switch this feature off. I guess this is what has happened here.
On my site I found that someone was stealing my bandwith and using my formmail.pl to send spam. I therefore altered the script so as to only accept form submissions from a defined referer page (not a blank), and send mail only to one address (mine!). this has cured the problem. My ISP has made all users upgrade to formmail.pl version 1.92 as the previous version had security flaws in it.
You'll see the referrer you inputted in your access_log.
It's much more secure to hard code the email address you want to send the form to into the script, and don't bother about checking the referrer.
And yes, I know this from experience
Thanks, Toolkit. You have explained how to spoof the referer, (which I did not know about) and have to say that I am well aware of the need to hard code the recipient of the email into the perl script.
But I am still not entirely clear why my perfectly ordinary customer(s) who are not computer experts or Telnet users, nor are they trying to spoof anything, can end up with a blank referer (and hence have their form submissions rejected).
Yes, Opera offers the option of masking the referer, but they are not using Opera! Likewise Webwasher or similar 'privacy tools' as far as I can see.
If the referrer variable is blank, it's probably because a user wasn't referred.
If a user was just to type in the address of your form without being referred to it via a link then the browser would not have any HTTP_REFERER header to send.
Also, as pointed out, there are some browsers which will not provide the header, and some firewalls that will block it.
Also, don't assume that your user wasn'ta computer expert.. he may have known enough to realise what was going wrong and sort it out.
If the referrer variable is blank, it's probably because a user wasn't referred.
If a user was just to type in the address of your form without being referred to it via a link then the browser would not have any HTTP_REFERER header to send.
Thanks, Mouldy_Goat! I am now in an area where I am woefully ignorant, but I have to say that in fact my form submits fine when I simply type in the form's URL as opposed to reach it via the index or another page.
Surely the referer is the page (URL) of the form itself?
Before you post, read our: 
Blank HTTP_REFERER
