View Full Version : Authenticating a website

01-30-2007, 11:45 PM
OK Here it goes.

I've been trying to find the answer to this problem for a few days now and I'm completely stumped.

I am trying to find a way to know what website has called an image from our server. For instance if website A placed an image from my server on a page, what is the url of that page?

I know that you can use ASP ServerVariables("HTTP_REFERER") as one method but I also know that this is unreliable as header information can be spoofed and if the image is called from a secure page (HTTPS) then there is no HTTP_REFERER information sent in the headers.

I know that there must be a way to do this because when I look at my website stats using AWStats I see visitors that come from secure sites such as https://www.paypal.com

If AWStats can track the referring websites that are visiting from HTTPS then there must be a way to do it.

Can someone help???


01-31-2007, 12:47 PM
Look at your webserver logs.

01-31-2007, 04:28 PM
Gee degsy what help you've been!

Certainly there's got to be someone that actually has something more constructive to input. I can look at my logs with no problem.

The question is:

What method is used to achieve the result? I already know the result.

02-01-2007, 03:59 PM
I meant to say
look at your webserver logs and see if you are getting the same info or if they are detecting the referers.

AFAIK IIS and Apache use the HTTP_REFERER server variable to record the referer, so it should be the same as in the scripts.

If you are getting fuller info from the log you could parse it.

Have you looked into the AWStats scripts to see what method they are using?

02-01-2007, 05:50 PM
Hi degsy,

I'll see if I can look at the IIS logs. As for the AWstats scripts do you know if these are publicly available?

I'm on a hosted server and don't have access to the scripts.

I'm really confused about the whole thing. The more I read, the more I realize why the referer is not relayed for secure pages. However, why does paypal get relayed. It seems to be the only one!?

02-02-2007, 02:43 PM
You can install your own version of awstats on your server

02-02-2007, 04:20 PM
Thanks degsy,

I'll give it a try.

02-03-2007, 01:19 AM

I think that I have solved this problem. From what I can tell the HTTP_REFERER will NOT be sent through the HTTP headers in IE or FireFox if a client has clicked on a link on a secure page.

However; if an image is displayed on a secure page then the referring URL IS passed in the headers. I just tested this in IE and FireFox. I can't speak for other browsers.

Stupid me. I was testing this with clickable links rather than trying with an image. This explains why PayPal shows up in my AWstats logs. They are pulling an image from my server.

Of course now I feel stupid.

02-06-2007, 02:54 PM
Nice :thumbsup: