Re: http referers, if, else and failures

HTTP_REFERER is not trustworthy in at least two ways. First, it can be forged. Secondly, you can't rely on it being set. View it as a peice of information that while may be interesting is not very useful.

-Waswas

Comment on Re: http referers, if, else and failures

Replies are listed 'Best First'.
Re: Re: http referers, if, else and failures by YAFZ (Pilgrim) on Jun 25, 2003 at 21:40 UTC
How can HTTP_REFERER be forged? And if it is not trustworthy what is the best way to learn from where the visitor comes to my website? Is this possible? I'll be glad if you can enlighten me.	[reply]
Re: Re: Re: http referers, if, else and failures by waswas-fng (Curate) on Jun 26, 2003 at 03:24 UTC
I am not going into forging HTTP_REFERER, if interested search google for "forge HTTP REFERER" and see that is a client sent http header. As for verifying the location that linked to your side you can perform many veriations of this including the page that refers to you calling a ssi script that talks to youtr host and generates a session url to show as the link. really there are tons of ways this can be done securly -- lol look at how porn sites do it. -Waswas	[reply]