[nycphp-talk] Safest and best way to get the referer
Rolan Yang
rolan at omnistep.com
Wed Jan 31 11:39:48 EST 2007
Relying on the integrity of HTTP_REFERER is simply a bad idea.
End user tools such as the RefControl plugin for Firefox make it easy
for anyone to spoof the referer.
I am aware of a handful of news subscription websites (which shall not
be listed here) that restrict their content to paying customers.
However, to boost rankings in the search engines, the websites make a
page of premium content available through news aggregators like
news.google.com. As a result, the websites gain free publicity and allow
users to sample one article. Clicking any deeper results in redirection
to a subscription page. How is this done? HTTP_REFERER based
authentication. Set one's referer to "news.google.com" and voila...
free premium access to the entire website. If anyone asks, you didn't
hear this from me :)
The HTTP_REFERER is a poor source for authentication and should not be
used for such purposes.
~Rolan
Joseph Crawford wrote:
> Guys,
>
> I know that HTTP_REFERER is not always accurate or even set. There
> are also ways for people to fake that value. I tend not to rely on
> that much however what i need to do is this.
>
> We have a file called spy.php that will return data to the browser if
> the sitekey is found in our database. This data is to be used by
> members so they can show statistics on their site. However to be sure
> that it was the correct sitekey i was also checking the referer domain
> against the domain stored in the database. Is there a better way to
> do this? I do not want someone to be able to display the stats for
> another site on theirs.
>
> Is there a way to do this or should i just base it on the sitekey and
> if it is valid return the stats for that particular site. The sitekey
> is an md5 hash.
>
> Thanks,
More information about the talk
mailing list