NYCPHP Meetup

[nycphp-talk] Safest and best way to get the referer

Rolan Yang rolan at omnistep.com
Wed Jan 31 11:39:48 EST 2007


Relying on the integrity of HTTP_REFERER is simply a bad idea.
End user tools such as the RefControl plugin for Firefox make it easy 
for anyone to spoof the referer.

I am aware of a handful of news subscription websites (which shall not 
be listed here) that restrict their content to paying customers. 
However, to boost rankings in the search engines, the websites make a 
page of premium content available through news aggregators like 
news.google.com. As a result, the websites gain free publicity and allow 
users to sample one article. Clicking any deeper results in redirection 
to a subscription page. How is this done? HTTP_REFERER based 
authentication. Set one's referer to "news.google.com"  and voila... 
free premium access to the entire website. If anyone asks, you didn't 
hear this from me :)

The HTTP_REFERER is a poor source for authentication and should not be 
used for such purposes.

~Rolan

Joseph Crawford wrote:
> Guys,
>
> I know that HTTP_REFERER is not always accurate or even set.  There
> are also ways for people to fake that value.  I tend not to rely on
> that much however what i need to do is this.
>
> We have a file called spy.php that will return data to the browser if
> the sitekey is found in our database.  This data is to be used by
> members so they can show statistics on their site.  However to be sure
> that it was the correct sitekey i was also checking the referer domain
> against the domain stored in the database.  Is there a better way to
> do this?  I do not want someone to be able to display the stats for
> another site on theirs.
>
> Is there a way to do this or should i just base it on the sitekey and
> if it is valid return the stats for that particular site.  The sitekey
> is an md5 hash.
>
> Thanks,



More information about the talk mailing list