[nycphp-talk] using $_SERVER['HTTP_REFERER']
Aaron Fischer
agfische at email.smith.edu
Fri Mar 5 17:48:47 EST 2004
Thanks Adam, I would guess as much. In this specific instance I think
it will be OK. It is extremely unlikely that there will be any
motivation to fake it and trick the page into loading.
However, for future use, and possibly for this one, can you give me
some recommendations for what I should start reading up on when
considering security? Perhaps the question is too broad? I would
guess that sessions would be one area to explore.
-Aaron
On Mar 5, 2004, at 4:29 PM, Adam Maccabee Trachtenberg wrote:
>
>> I am working on a page right now that uses HTTP_REFERER to make sure
>> that the user is coming from a specific page. It seems to be working
>> pretty well except for one little hiccup involving the back button:
>>
>> Scenario:
>> The user clicks from the referrer page to my page and is let in OK.
>> When they are done they leave and go somewhere else. However, if they
>> choose to hit the back button they are let into my page again. I
>> would
>> like to know how I can prevent this from happening?
>
> I can't solve your specific problem, but HTTP_REFERER is really easy
> to fake, so don't be relying on this in general as a secure method of
> protection against anything or anyone.
>
> -adam
More information about the talk
mailing list