Http_referer

gimenei

Hello!

I'm building a payment gateway between my e-commerce site and 2checkout.com.

I'm using following Perl code to check that user is refered from 2Checkout.com.

I'm trying to write a similar code in PHP. Everything works fine when referer is a regular site, but when the referer is secure site (ex. https://www.2checkout.com), HTTP_REFERER variable is just empty!!

Could someone please help me with it? Any ideas?

Thank You!
Janno

@referers=("www.2checkout.com","2checkout.com");
&check_url;
sub check_url {
local($check_referer) = 0;
if ($ENV{'HTTP_REFERER'}) {
foreach $referer (@referers) {
if ($ENV{'HTTP_REFERER'} =~ m|https?://([^{/]*)$referer|i)} {
$check_referer = 1;
last;
}
}
}
else {
$check_referer = 1;
}

if ($check_referer != 1) {
print "Bad Referrer - Merchant should put in code to write to a log or mail themselves a
note to verify order was billed in 2Checkout.com system"; }
}

swr

You can't depend on HTTP_REFERRER. It is optional; the browser doesn't have to send it.

I don't really know, but it is conceivable that the browser is refusing to give referrer from secure site in case the URL contained form variables that might be security-sensitive. It's also possible that the https site is redirecting the browser in such a way that the referrer is not sent.

In any event, your code should accept a blank referrer, in case the browser just doesn't want to tell you where it's been.

gimenei

Yes, I have read that HTTP_REFERRER is not the best way to do it... but is there an alternetive way to do it??

swr

Some brief testing (with Firebird 0.7) shows that redirection using "meta refresh" mechanism causes the referer to be blank.

I suppose what you are trying to prevent is someone creating a spoof site that pretends to be processing an order, that afterwords redirects the user to your site. SSL certificates are supposed to prevent the spoof site. You can't reliably prevent the redirection afterwards.

If 2checkout.com is using "meta refresh" then that could, as I mentioned above, cause your blank referrer problem. You could ask them to use another mechanism to preserve referrer, but that won't actually fix your problem. You need to accept a blank referer in case the browser and/or proxy have been configured to not give that info (this is becoming increasingly common). But by accepting a blank referrer, you allow any spoof site to use "meta refresh" or other mechanism to hide the malicious referer.

Bottom line is no, I don't think there's a way to do what you want. In theory SSL certificates make it a non-issue. In practice it's not 100% (users don't always pay attention) but there's not much you can do.