Issues with nonexistant HTTP_REFERER

jkurrle

I am currently working on a web host that does not have an HTTP_REFERER server environment variable. I had originally put into my execution scripts a call to check $_SERVER['HTTP_REFERER'] to make sure they were being called by a page on my server, but now I don't have that option.

Does anyone know how I might be able to replicate this functionality without a HTTP_REFERER check? I suppose I can rewrite my code to pass a password between pages, but the hacker could just look at my page sourcecode to see what the password is - not much security there...

I suppose I could set a SESSION variable and check against that on my execution scripts, but I don't know how easy it would be to replicate a SESSION variable for a hacker to get at my scripts.

I could create a ReWrite rule in my .htaccess file where my execution scripts reside, but the ReWrite rule would be dodgy at best, as it doesn't seem to work like normal Apache servers.

Any ideas or suggestions would be most helpful...

laserlight

HTTP_REFERER can be spoofed, so it is not much of an additional layer of security. You probably should use sessions instead, say with a session cookie. If you really need security, then you could consider purchasing an SSL certificate and using SSL/TLS.

jkurrle

Is a SESSION variable more secure than HTTP_RERERER ? Can a SESSION variable be spoofed as well?

laserlight

An attacker can attempt to guess the session id, but this is unlikely to succeed. More likely are session hijacking attempts, e.g., session fixation. What I am not sure is how you planned to use HTTP_REFERER, so I cannot say if a comparison makes sense.

jkurrle

I had originally used HTTP_REFERER as a way of validating that the execution scripts were being called by another page on my site. Apparently, from what you are saying, this isn't the wisest thing to do. I have a session variable set after a user logs in that I can use for a validation check instead. I guess I'll use that...