Is it possible to fake an http_referer?

Yellow_Dart · 2003-11-27T02:34:20+00:00

Hi, I wrote a little regular expression that compares the $_SERVER['HTTP_REFERER'] against a pattern i made. The point of it is to only allow the script to...

Is it possible to fake an http_referer?

abx_2112

yes that's a great start it's so much harder to load one of your pages in a hidden frame then it is to fake the http_referer.

Care to explain?

Moonglobe

hidden frame.... no border, no width, no height. would set the session variable. you could then load the image........

drawmack

Originally posted by abx_2112
Care to explain?

http://www.suryvial.com/articles/1/1

http://www.suryvial.com/articles/1/3

Bunkermaster

FYI : reget download manager allows you to fake the referer (I sometimes use it to test my code)

abx_2112

I feel I was (am) completely ignorant in this subject. I'm afraid I didnt give enough thought to the problem, so i deserve the sarcasm 😕

yes that's a great start it's so much harder to load one of your pages in a hidden frame then it is to fake the http_referer.

anyway, thinks for the info drawmack 🙂

drawmack

Originally posted by abx_2112
I feel I was (am) completely ignorant in this subject. I'm afraid I didnt give enough thought to the problem, so i deserve the sarcasm 😕

anyway, thinks for the info drawmack 🙂

My sarcasm is not intended to offend. NP about the info

Corpheous

Wouldn't it be a better idea to set up admin privaleges in your database and set the page to check the cookie name against the database and see if that user has sufficient access to be allowed onto a page?

keith73

there is another problem with HTTP_REFERER. If a valid user is grabbing the file from your site as intended, it still may fail becuase some proxies will not send the referring page in the headers. You could be keeping legitimate users from seeing what you want them to see.

Bottom line, if you make a file public on your site, it's basically public for everyone to find. you can only do so much to limit usage, but a determined person will always find a way, unless you protect everything via htaccess.

keith

Weedpacket

Uh, you resurrected a six-year-old thread to show that you got the wrong end of the stick?

scrupul0us

There's a stick to be had?

Shameless +1 😃

dalecosp

Weedpacket;10937009 wrote:
Uh, you resurrected a six-year-old thread to show that you got the wrong end of the stick?

Perhaps he found a bug in [man]date/man ?

Oh, no, I guess not. This tag prolly won't work, either. [man]if_pebkac/man. Ah, well.