soon_j has asked for the wisdom of the Perl Monks concerning the following question:

Greetings to all! I have a script (let me call it script1.cgi) that does something, and at the end of it, it generates an output html that has a javascript that is executed upon loading "location.href=http://www.something.com/script2.cgi". Basically what the html accomplishes is a sort of re-direction to the script "script2.cgi".

The second script "script.cgi" would only do something if the referrer is from http://www.something.com/script1.cgi, else it would return an error. This is why I used $ENV{HTTP_REFERER} in my script2.cgi.

The problem is that when I tested this with a Linux platform (Mozilla, Netscape, Galeon), the referrer is recognized, but when I accessed it using a Windows platform (IE5.5 and higher), the referrer environment variable is simply blank,... therefore my script2.cgi would return an error.

Why is this so? What would be a better way to call another script or a re-direction? Example, at the end of "script1.cgi" I would want to run and execute "script2.cgi". Would it solve the issue?

  • Comment on $ENV{HTTP_REFERER} Problem on a Windows Client

Replies are listed 'Best First'.
•Re: $ENV{HTTP_REFERER} Problem on a Windows Client
by merlyn (Sage) on May 24, 2004 at 11:53 UTC
    REFERER is trivially forged, and unreliable as you've seen. It's only for logging, and unusable as the basis for a security scheme.

    You'll have to make a hidden field or something to know that your second form was coming from your first response.

    -- Randal L. Schwartz, Perl hacker
    Be sure to read my standard disclaimer if this is a reply.

[reply]

      You are right. I used the referer in a "crude" way to determine if my session id is directly called or passed from a script. I was avoiding the possibility of session hijacking or replaying where one simply replay a session_id from the browser history and there he goes... doing stuffs he's not supposed to do.

      Though my session id's are set to expire after "n" minutes, is there another sanity check besides using a "trivial" referrer?

[reply]
[reply]
Re: $ENV{HTTP_REFERER} Problem on a Windows Client
by fruiture (Curate) on May 24, 2004 at 12:03 UTC

    The "Referer" is something you can NEVER rely on. It's completely up to the user-agent whether it is sent at all and what's in it. Even if the referer was your script1.cgi would not mean that the user has ever triggered that URL, it might be, the user might also trick you. IE seems to treat Javascript-redirects as something without referer, that's up to him and OK, just as it is OK when Mozilla thinks otherwise.

    If you want to make sure your second script is run, you must not rely on the client: Javascript is not supported by all browsers and not actived by all users, HTML-redirects (http-equiv="refresh") may be ignored, as well as a Staus 301/302/303 HTTP-Redirect. You must solve the problem within the server. Maybe by using exec, or do, or require, or by turning script2.cgi into a Perl Module and use that module from script1.cgi ...

    --
    http://fruiture.de
[reply]

      I am using it as a "crude" way to sort of detect if a session id is called directly or from a script. I am trying to avoid session replaying or hijacking by trying to determine if the session id is validly passed from the script or not.

      Though my session id's expire after "n" minutes, if the session is replayed within the "n" period, this is still possible, but this is not what I wanted. Do you have some sort of "sanity check" suggestions?

[reply]

Back to Seekers of Perl Wisdom