WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

RE: HTTP REFERER not set in Internet Explorer

From: "Ory Segal" <osegal () watchfire com>
Date: Thu, 17 Nov 2005 13:49:13 +0200
While we're at it - I'll join the mob, by saying:

Don't rely on the HTTP REFERER for security. :-)

-Ory

-----Original Message-----
From: Saqib Ali [mailto:docbook.xml () gmail com] 
Sent: Wednesday, November 16, 2005 6:17 PM
To: webappsec () securityfocus com
Subject: HTTP REFERER not set in Internet Explorer

Hello,

I am writing a secure application that tracks users on a website by use
of HTTP_REFERER. But see like Internet Explorer is not properly
populating this field.

Visit the following website using IE and Firefox.
http://www.xml-dev.com/blog/referer_test.php

And click on the Link that says "Click Here"

With Firefox, the correct HTTP_REFERER will be displayed after you click
the link. But with I.E. the HTTP_REFERER is set to blank.

Has anyone ran into this issue? How did you make your application
compatible with both I.E and Mozilla based browsers?

Because of some security concerns I need the HTTP_REFERER to be set
correctly. If it is not possible, I will have to restrict my users to a
Mozilla based browser.

--
In Peace,
Saqib Ali
http://www.xml-dev.com/blog/
Consensus is good, but informed dictatorship is better.
Previous By Date Next
Previous By Thread Next

Current thread: