Re: Referer check within domain problem

The HTTP specification doesn't mandate the usuage of the Referer header. Some browsers may opt not to send the header. Proxies may strip out the header (what do you mean "the site cannot be accessed by proxy"? You can't always know whether there's a proxy involved). And in some cases, browsers should not send a Referer header, for instance when following a bookmark, or when the user types in a URL.

See also the HTTP specification. Denying or allowing access based on a Referer header is a bad thing to do.

Abigail

Comment on Re: Referer check within domain problem

Replies are listed 'Best First'.
Re: Re: Referer check within domain problem by jerrygarciuh (Curate) on Nov 22, 2002 at 17:05 UTC
Thank you for your response. When you have a script which should only accept input from specific pages how do you control this? Is one Good way to do this using .htaccess `allow from` where that is available? All advice seriously appreciated! jg _____________________________________________________ "The man who grasps principles can successfully select his own methods. The man who tries methods, ignoring principles, is sure to have trouble. ~ Ralph Waldo Emerson	[reply] [d/l] [select]
Re: Referer check within domain problem by Abigail-II (Bishop) on Nov 22, 2002 at 17:21 UTC
When you have a script which should only accept input from specific pages how do you control this? I would never make such a script, because the premisis is flawed. HTTP was created as a stateless protocol, and that's how it works best. Why would a resource care which resource the user consulted before? Why try to funnel the user through a virtual corridor? HTTP wasn't designed for that, and any trick you try will eventually fail. As you found out. Don't fight the system, work with it. Abigail	[reply]