PHP/Javascript referer issue

snidog

Hello friends, I believe this is my first post here. I am having an issue, and I am hoping some of the smart people here will be able to help me.

I have generated some code for our customers to put on their sites, which basically displays our seal of approval. The code is simple Javascript, and it calls an external Javascript file (located on our server), which performs validation based on URL variables passed along with it, and displays the appropriate seal. For example, the code could look like this:

The issue I am running into is this: I want to verify that the website displaying this seal is the actual website it claims to be. I have been unable to find a perfect solution. Here is what I have tried and why it has failed:

1: Keep in mind that I can't put any PHP code in our code that the customers generate, because they may or may not have PHP on their server.

2: $_SERVER['HTTP_HOST'] does not work, because the script itself is on my server, so HTTP_HOST always returns www.mydomain.com, not the domain displaying the script.

3: $_SERVER['HTTP_REFERER'] does not work, because different browsers handle that variable differently. It works pretty well most of the time, but for some reason, my boss doesn't like "pretty well most of the time." 😉

4: We can't use sessions, because it is not good practice to set sessions for your site on another person's site. Makes them mad and whatnot.

5: I considered using an MD5 hash of the domain name and adding it hardcoded as one of the URL variables in the script that they call, but that doesn't really solve the problem. Yes, it ensures that the code is authentic, but it doesn't actually verify that the site displaying the seal is correct.

I am at a loss. If anyone has any ideas, please help me out. I greatly appreciate it.

I guess my great hope is that there is some alternative to HTTP_REFERER that can tell me what page called a script.

drew010

in instances like this, as much as it pains us developers to come up with a great solution, as you say, pretty well most of the time, is usually as good as it gets.
with browser security, http_referer is never 100% reliable, or even sent by the browser for that matter, however, a majority of browsers (IE, Mozilla) do send the referrer header in a request.
The other problem with javascript is, there is no guarantee that the user has javascript turned on in their browser. I suppose its possible to use extra js code to pass the window.location onto your script as a parameter, but depending on how trusting your users are, thats very easy to change.

linus

There was an ALA article (http://www.alistapart.com/articles/hotlinking/) about preventing image hotlinking from other sites, but the thing is it fails if I tell my browser not to send the HTTP_REFERER header. You could add the condition that the header can't be blank, but (a) this isn't nice to people who disable it on principle, and (b) it doesn't solve the problem that it can theoretically be forged. I can't think of another way to do this; I think the internet is too free a system to manage this kind of restriction reliably. In Apache terms, the nature of the internet is deny,allow.