NYCPHP Meetup

[nycphp-talk] Safest and best way to get the referer

inforequest 1j0lkq002 at sneakemail.com
Wed Jan 31 15:52:01 EST 2007


Rolan Yang rolan-at-omnistep.com |nyphp dev/internal group use| wrote:

> Relying on the integrity of HTTP_REFERER is simply a bad idea.
> End user tools such as the RefControl plugin for Firefox make it easy 
> for anyone to spoof the referer.
>
> I am aware of a handful of news subscription websites (which shall not 
> be listed here) that restrict their content to paying customers. 
> However, to boost rankings in the search engines, the websites make a 
> page of premium content available through news aggregators like 
> news.google.com. As a result, the websites gain free publicity and 
> allow users to sample one article. Clicking any deeper results in 
> redirection to a subscription page. How is this done? HTTP_REFERER 
> based authentication. Set one's referer to "news.google.com"  and 
> voila... free premium access to the entire website. If anyone asks, 
> you didn't hear this from me :)
>
> The HTTP_REFERER is a poor source for authentication and should not be 
> used for such purposes.
>
> ~Rolan
>
> Joseph Crawford wrote:
>
>> Guys,
>>
>> I know that HTTP_REFERER is not always accurate or even set.  There
>> are also ways for people to fake that value.  I tend not to rely on
>> that much however what i need to do is this.
>>
>> We have a file called spy.php that will return data to the browser if
>> the sitekey is found in our database.  This data is to be used by
>> members so they can show statistics on their site.  However to be sure
>> that it was the correct sitekey i was also checking the referer domain
>> against the domain stored in the database.  Is there a better way to
>> do this?  I do not want someone to be able to display the stats for
>> another site on theirs.
>>
>> Is there a way to do this or should i just base it on the sitekey and
>> if it is valid return the stats for that particular site.  The sitekey
>> is an md5 hash.
>>
>> Thanks,
>

I don't know, Rolan. If they desire to block people who haven't been 
referred by news.google.com and who don't know how to spoof the 
referrer,  then they have a pretty good solution in place. Everything's 
relative?

(I overheard a conversation in a restaurant about the Theory of 
Relativity. Grandma was with the grown up kids and overhears a mention 
of Einstein. So she says "I never knew what the big deal was with 
Einstein and relativity. It seems pretty basic to me. If you look at 
something, it might seem small. But if you compare it to a pea it's big. 
So it's relative. I could have told you that. What makes Einstein so 
special?"





More information about the talk mailing list