WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: HTTP REFERER not set in Internet Explorer

From: George Johnson <gjohnson () espgroup net>
Date: Wed, 16 Nov 2005 22:16:02 -0500
Saqib,
You should not use HTTP_REFERER. Opera and other browsers allow a user to shut it off entirely. That is a "tainted" variable that is user supplied and is not verifiable from the server end and thus should not be used to enhance security. If all you want to do is track the user, there are much simpler ways to do that. If you are trying to verify and force a certain path through your environment, you have a lot more work to do and we have a whole new conversation. 

Hope this helps.

George

Saqib Ali wrote:


Hello,

I am writing a secure application that tracks users on a website by
use of HTTP_REFERER. But see like Internet Explorer is not properly
populating this field.

Visit the following website using IE and Firefox.
http://www.xml-dev.com/blog/referer_test.php

And click on the Link that says "Click Here"

With Firefox, the correct HTTP_REFERER will be displayed after you
click the link. But with I.E. the HTTP_REFERER is set to blank.

Has anyone ran into this issue? How did you make your application
compatible with both I.E and Mozilla based browsers?

Because of some security concerns I need the HTTP_REFERER to be set
correctly. If it is not possible, I will have to restrict my users to
a Mozilla based browser.

--
In Peace,
Saqib Ali
http://www.xml-dev.com/blog/
Consensus is good, but informed dictatorship is better.
Previous By Date Next
Previous By Thread Next

Current thread: