The HTTP spec does not require the browser to pass the referer.
Plain and simple. So it cannot be depended on since it will not
always exist.
-dhs
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"To announce that there must be no criticism of the president, or
that we are to stand by the president right or wrong, is not only
unpatriotic and servile, but is morally treasonable to the American
public."
-- Theodore Roosevelt
On Jun 14, 2007, at 2:29 PM, Ajas Mohammed wrote:
Hi Dean,
Thanks for the information. I understand the threat
cgi.HTTP_REFERER variable poses and also that its not safe to
depend on any client generated variables.
But lets say I want to know answers for these 2 questions, what
would be the answer i.e.
1) why the cgi.HTTP_REFERER is empty and
2) is there a way, I can get the value for cgi.HTTP_REFERER.
thanks,
On 6/14/07, Dean H. Saxe <[EMAIL PROTECTED]> wrote:
FWIW, the referer header is a great way to get information
disclosure. Its a great way to find previously unknown URLs just
by scraping referer logs. Can be used to track where someone has
been previously... fun stuff.
-dhs
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"[T]he people can always be brought to the bidding of the leaders.
This is easy. All you have to do is to tell them they are being
attacked, and denounce the pacifists for lack of patriotism and
exposing the country to danger. It works the same in every country."
--Hermann Goering, Hitler's Reich-Marshall at the Nuremberg Trials
On Jun 14, 2007, at 1:10 PM, Ajas Mohammed wrote:
Hi,
In one of my CF 7 applications say Appl A, I have a link to
another application Appl B. Appl B will allow user to access
restricted pages in case he is a referred user from Appl A. In the
Application.cfm file of Appl B, I have this code
<!--- client var for testing the value of cgi.HTTP_REFERER ---->
<cfset client.Referer = "#cgi.HTTP_REFERER#">
<cfif ( cgi.HTTP_REFERER contains "mysitekeyword") >
<cfset referred = "true">
<cfelse>
<cfset referred = "false">
</cfif>
<cfif IsDefined("referred")>
<!--- if user is referred, then set login stuff so user is not
thrown to login page ---->
<cfif (referred)>
<cfset client.login="Referred">
<cfset client.my_first_name = "RefFirstName">
<cfset client.can_access = "Y">
<cfset client.can_config = "N">
<cfset client.can_create_client = "N">
<cfset client.can_config_client = "N">
<cfset client.limit_access = "N">
<cfset client.access_name = "RefUser">
<cfset client.started = "true">
</cfif>
</cfif>
This code ensures that user can view the pages. If user is not
referred, then he has to login.
The problem I am facing is that, when users click the link in Appl
A to come to Appl B, the cgi.HTTP_REFERER is empty which means the
code above wont be executed(referred ="false") and user is thrown
to login page. I dont know why this is happening. Perhaps, it has
something to do with security / anti virus and CF server sets it
to empty.
I checked both variables i.e. my client.Referer variable and the
cgi.HTTP_REFERER on the page that is displayed first to user (in
this case login page), and the both the variables are empty.
Is there a way, I could get the value of cgi.HTTP_REFERER?
Thanks,
--
<Ajas Mohammed />
http://ajashadi.blogspot.com
No matter what, find a way. Because thats what winners do.
-------------------------------------------------------------
Annual Sponsor - Figleaf Software
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink
-------------------------------------------------------------
--
<Ajas Mohammed />
http://ajashadi.blogspot.com
No matter what, find a way. Because thats what winners do.
-------------------------------------------------------------
Annual Sponsor - Figleaf Software
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink
-------------------------------------------------------------
