HTTP REFERER is not set..

mehdi
mehdi used Ask the Experts™
on
Hi people,

Not sure where this question should go - but i figure that Apache admins will probably have some clue.

The problem is this.  Target code, needs to check the referer, and is doing so fine.  However, we need to detect when one URL in particular has made the request for the current page.

We are logging the REFERER in the target script, but from the server we actually need to detect, there is no REFERER variable.

Assuming that we have access to change the calling server, and the target server, how can we ensure that the referer comes through ?

Let me know if that needs further explanation.  Your help would be appreciated.

Many thanks in advance.

~~~~~~~~~~~~~~~~~~~~~~~~~~~
The secret lemonade drinker
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Author

Commented:
i found this :

http://www.faqts.com/knowledge_base/view.phtml/aid/31/fid/9

so i think i should add that the calling page, is not a link.  Its a script, (search indexer) that makes HTTP requests, something that is not exactly covered by the link above.

Thanks

~~~~~~~~~~~~~~~~~~~~~~~~~~~
The secret lemonade drinker

Author

Commented:
i found this :

http://www.faqts.com/knowledge_base/view.phtml/aid/31/fid/9

so i think i should add that the calling page, is not a link.  Its a script, (search indexer) that makes HTTP requests, something that is not exactly covered by the link above.

Thanks

~~~~~~~~~~~~~~~~~~~~~~~~~~~
The secret lemonade drinker
mehdi -

Do you know what browser is being used?  HTTP_REFERER is not passed by some older browsers....
OWASP: Forgery and Phishing

Learn the techniques to avoid forgery and phishing attacks and the types of attacks an application or network may face.

P.S. this might be of interest to you:

http://www.flora.org/lynx-dev/html/month011998/msg00304.html

In particular:

"Note that Lynx can be configured so that it never sends a Referer header, as is also the case for a number of browsers, so any procedure which depends on that header will be unreliable."

Author

Commented:
Thanks guys,

There is no browser involved in this situation.  The "thing" making the request is a program.  "The program" happens to be a script on another webserver (lets say a perl script), it works by making HTTP requests to another server... since the requests are HTTP requests, im kind of hoping to be able to identify them from the target box..

The answer may be that the code making the HTTP request has to do somehting to set the REFERER, this is what I dont know.

Are there any "server" specific things needed to send the referer, or is this 'solely' the function of the user-agent ?

Cheers,


Mehdi


~~~~~~~~~~~~~~~~~~~~~~~~~~~
The secret lemonade drinker
Hi Mehdi -

Your program is acting as the 'browser' in this case - and you are correct, it will have to set the HTTP_REFERER.  Offhand, however, I don't know how this is done.
P.S. I would expect that it would be part of the httpd spec:

http://www.w3.org/Protocols/

Commented:
But mehdi just a question:

If your program sending the query is able to set the referer,
if your script receiving the query check only the referer,

dont you think that someone else can write a program that send the same http_referer to the same URI ???

I think in your case the best solution is simply to secure with an http authentification, no matter with http_referer.

M.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial