NYCPHP Meetup

NYPHP.org

[nycphp-talk] using $_SERVER['HTTP_REFERER']

Aaron Fischer agfische at email.smith.edu
Fri Mar 5 17:48:47 EST 2004


Thanks Adam, I would guess as much.  In this specific instance I think 
it will be OK.  It is extremely unlikely that there will be any 
motivation to fake it and trick the page into loading.

However, for future use, and possibly for this one, can you give me 
some recommendations for what I should start reading up on when 
considering security?  Perhaps the question is too broad?  I would 
guess that sessions would be one area to explore.

-Aaron

On Mar 5, 2004, at 4:29 PM, Adam Maccabee Trachtenberg wrote:

>
>> I am working on a page right now that uses HTTP_REFERER to make sure
>> that the user is coming from a specific page.  It seems to be working
>> pretty well except for one little hiccup involving the back button:
>>
>> Scenario:
>> The user clicks from the referrer page to my page and is let in OK.
>> When they are done they leave and go somewhere else.  However, if they
>> choose to hit the back button they are let into my page again.  I 
>> would
>> like to know how I can prevent this from happening?
>
> I can't solve your specific problem, but HTTP_REFERER is really easy
> to fake, so don't be relying on this in general as a secure method of
> protection against anything or anyone.
>
> -adam




More information about the talk mailing list