Re: Control referring domain, another HTTP_REFERER option?

I need to implement some low level security that locks a certain page
if the user does come from a particular link (which is hosted on
another domain). I've considered using HTTP_REFERER variable but
seems this is a little shaky as it is not alway set.

HTTP_REFERER is trivially fakable. Plus, some users can't send it
if their lives depended on it, because ISP proxies may delete it.
Why do you need joke-level security?

Step back from the problem a little. Specifically WHAT problem are
you attempting to solve? Deep linking by Google? Too much traffic
to your site? Links from fark.com? Spammers abusing your feedback
page?

If you have gotten to the point of seriously considering handing
out ID cards to alligators to limit them to ONE bite of your ass
each, it's time to take a step back and realize that the original
problem was to drain the swamp.

Well, you could use a CAPTCHA. Or you could ask for a password and
not check it. Both probably provide better joke-level security.

Does anyone have a solution that would allow me to restrict.

If you trust the user's browser, you've thrown your security out
the window. And in this situation, only the browser knows where
it last was.

I figure
I can't use a session as it is linked from another domain - same with
cookies.

Does this mean you really can't control it because the only thing that
tracks where the browser has come from is the browser, and this can't
be trusted.

Essentially, yes. If the two web servers in different domains are
under common administrative control (meaning, among other things,
that the same programmer could arrange changes on both of them),
so they could share a database, the referring web server could leave
a note that the referred web server could look at to see if the
same browser hit the referring page recently.

I've thought about setting a cookie on the other domain that my domain
will check (that way I'll know if they've atleast come from there).

Cookies are designed not to work that way. Users need some privacy
left. And you (your web site) couldn't put anything (e.g. "remember
my login" cookies) into a cookie safely if every other web site the
user visits (including the evil ones) can see it (and try to hack
it).

Can a cookie be set to be accessible from "any" domain?

No. And if it could, chances are everyone would ban them, and you'd
have about a gigabyte of them from doubleclick.net alone.


.

Relevant Pages

  • Cookie blocking issue with IE, javascript
    ... I'm trying to use javascript to determine if a user's browser has cookies ... remote web server. ... By turning cookies on/off in your browser, running the file, then clicking ... var cookieName='test1'; ...
    (microsoft.public.inetsdk.html_authoring)
  • Re: How do we get there from here?
    ... In order to design using that ... > really focused on at this stage is browser enabled applications. ... This is a submission to the server, ... > Don't know much about cookies. ...
    (comp.databases.pick)
  • Re: IP / Proxy / Anonymous Browsing Question...
    ... Browser Security ... Cookies can act as ... of which can be programed to access the Windows System or your ... bypass any firewall since messaging is web page to web page. ...
    (comp.security.misc)
  • Re: browsing the web privately - how??
    ... Browser Security ... Cookies can act as ... of which can be programed to access the Windows System or your ... bypass any firewall since messaging is web page to web page. ...
    (comp.security.misc)
  • Re: Attempt to de-mystify AJAX
    ... "Hyperlinks" always open a new browser window. ... What I meant is that the server, from its state tables, can easily determine ... >>> around cookies and JS, but it seems to be tough. ... >>> 1) use cookies to maintain the session key and hope that the expiration ...
    (comp.databases.pick)