On my site I have an on-line order form which transmits using
a modified version of Formmail.
For security reasons, if a form is submitted with the HTTP_REFERER blank (or not my domain) then access is denied and an error message is returned. I also record details of submissions (successful or otherwise) in an error file. (Some failed submissions arise because the form is not correctly completed).
It is probably a firewall or browser privacy standards. HTTP_REFERER is contained within the browser and you shouldn't ever really rely on it in order to perform an action, at the very least you should have the ability to detect if there is no refererer and use 'not referred' or something similiar instead of erroring out.
As for 're-instating' it, that seems a bit odd...does your error page alter the referer variable with other information onerror? Is a form re-presented to the user that does not contain this check? Maybe the user turned off their firewall in order to process the request (unlikely). It might help to get a little more information...
Feyd - I now learn that there are browsers such as Opera and "privacy tools" such as Webwasher where the user can elect not to transmit the referer URL (why should he wish to do this???) but the user can quickly switch this feature off. I guess this is what has happened here.
On my site I found that someone was stealing my bandwith and using my formmail.pl to send spam. I therefore altered the script so as to only accept form submissions from a defined referer page (not a blank), and send mail only to one address (mine!). this has cured the problem. My ISP has made all users upgrade to formmail.pl version 1.92 as the previous version had security flaws in it.
You'll see the referrer you inputted in your access_log.
It's much more secure to hard code the email address you want to send the form to into the script, and don't bother about checking the referrer.
And yes, I know this from experience
Thanks, Toolkit. You have explained how to spoof the referer, (which I did not know about) and have to say that I am well aware of the need to hard code the recipient of the email into the perl script.
But I am still not entirely clear why my perfectly ordinary customer(s) who are not computer experts or Telnet users, nor are they trying to spoof anything, can end up with a blank referer (and hence have their form submissions rejected).
Yes, Opera offers the option of masking the referer, but they are not using Opera! Likewise Webwasher or similar 'privacy tools' as far as I can see.
If the referrer variable is blank, it's probably because a user wasn't referred.
If a user was just to type in the address of your form without being referred to it via a link then the browser would not have any HTTP_REFERER header to send.
Thanks, Mouldy_Goat! I am now in an area where I am woefully ignorant, but I have to say that in fact my form submits fine when I simply type in the form's URL as opposed to reach it via the index or another page.
Surely the referer is the page (URL) of the form itself?