It depends on exactly what you use HTTP_REFERER for. However, when doing security audits on sites the most common use I see is to check that a form is submitted from a correct page. It is much better to do proper form validation.
Of course, there are other reasons, but I would just go along with what Mike said: > > >IN short, if you're planning an application that's going to need > > >http_referer, my advice is to re-think it! Cheers, Mark >Mark, > >Curious, what other method do you use? > >Paul Giesenhagen >QuillDesign > > > > I have always regarded the use of HTTP_Referer as a security measure to >be > > rather poor, as it can easily be spoofed. So my sites don't rely on it, > > although occassionally they may use it to refine error messages. > > > > Cheers > > > > > > > > >The correct spelling is the American spelling - i.e. cgi.http_referer > > >even > > >though my outlook insists on arguing with me and changing it to >referrer. > > > > > >But as you have discovered, not all browsers send the parameter, >because > > >the > > >anti-spamming measures adopted by a lot of people block it. This >hasn't > > >been much of a worry until recently. But a site I'm working on has a > > >rapidly increasing number of users with this problem, and I'm having to > > >re-write a whole application which relied on http_referer to verify the > > >user > > >had access. Computers are increasingly being delivered to users >with > > >personal firewalls installed and that gives rise to the problem. > > > > > >IN short, if you're planning an application that's going to need > > >http_referer, my advice is to re-think it! > > > > > >Cheers, > > >Mike Kear > > >Windsor, NSW, Australia > > >AFP WebWorks > > > > > > > > >-----Original Message----- > > >From: mark brinkworth [mailto:[EMAIL PROTECTED]] > > >Sent: Sunday, 28 July 2002 1:09 PM > > >To: CF-Talk > > >Subject: Re: CGI.HTTP_REFERER > > > > > >Some firewalls (such as Norton's - I know this from personal >experience), > > >block or change the http_referer that is sent from the browser to the > > >server. In the case or Norton, it gets changed to http_weferer, and > > >consists > > >of a rather random looking alphabet soup. > > > > > >Cheers, > > >Mark > > > > > > > > > > > > > > > >Okay. I'm stumped. I had this whole lovely plan for something I'm > > >working > > > >on. It involved looking at the value of CGI.HTTP_REFERER. But that > > >value > > > >isn't coming up on my radar. It doesn't matter what browser I use. >It's > > > >just not there. I've tried different spellings (REFERRER, REFERER), > > >looped > > > >through every variable available, put a reference without a variable > > >scope > > > >prefix, everything. It just doesn't show up. > > > > > > > >I understand that the CGI variables returned are based on the server > > > >configuration. So I guess my entire pile of questions is: > > > > > > > >A) Am I doing something simple and obviously stupid? > > > > > > > >B) What would I have to do to my server to get it to return this > > >variable: > > > >is it on the CFAS side, or on the HTTP-server-software side? > > > > > > > >Thanks for any help anyone can give. I need this blasted variable!! > > > > > > > >Matthieu > > > > > > > > > > > > > > > > > > > > > ______________________________________________________________________ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
