leaving some users unable to use your app. Basically, I believe referrers
shouldn't be use for anything except stats gathering.
-----Original Message-----
From: Dave Watts [mailto:[EMAIL PROTECTED]
Sent: Monday, 1 March 2004 3:42 p.m.
To: CF-Talk
Subject: RE: Protect action pages
> How about a hidden flash app that uses the xmlload method to grab the
> http_host/http_referer from the server in a hash format that is then
> passed with all forms/urls? On the next pages, the hash returned by
> flash would be compared with a hash of the
> cgi.http_host/cgi.http_referer returned by CF/web server. While they
> could fake the http_host/http_referer in the web client, it would be
> different from the value returned by flash, so you could reject it.
>
> I don't know enough about flash to know if that's easy to get around.
Presumably, if it's a hash of the host and referer headers, it would always
be the same for a given host and referer combination, which means that it
would be easy for someone to see what the right value should be and simply
specify the same value in their automated HTTP client.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
phone: 202-797-5496
fax: 202-797-5444
_____
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
