WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: HTTP REFERER not set in Internet Explorer

From: Saqib Ali <docbook.xml () gmail com>
Date: Thu, 17 Nov 2005 08:05:38 -0800
Hello All,

Thank ya all for the responses. I am aware that the HTTP_REFERER can
be easily forged. However I am using it in a context which makes it
somewhat useful. Our application is NOT completely dependent on the
HTTP_REFERER for security, there are other mechanisms involved as
well.

I am using HTTP_REFERER to:
1) Track users on the website. And use it to optimize the layout of the site.
2) Prevent direct linking to some of our web pages. Anti-leeching??? I
know this can be forged, but I think it will prevent newbie webmasters
from direct linking.

The following are solution that were proposed. Thanks :) They are very helpful.

------------ Solution 1 ------------------
<script language="JavaScript"><!--

function goto_url() {
// This JavaScript function, generate confirmation message for the license
to be deleted.
  if (userPressesYes()) {
       return true;
  } else {
     return false;
  }
}
</script>

<body>
<a href="referer_test.php?action=output" onClick="return goto_url();">Click
Here</a>;
------------------------------------------

-------------Solution 2 ------------------
location.href = 'script.php?href=' + escape( location.href );
------------------------------------------


In Peace,
Saqib Ali
http://www.xml-dev.com/blog/
Consensus is good, but informed dictatorship is better.
Previous By Date Next
Previous By Thread Next

Current thread: