Solved

ActionScript and HTTP_REFERER

Posted on 2009-03-31
3
370 Views
Last Modified: 2013-11-11
Hi,

I have an swf which calls an ASP file using

request_obj.sendAndLoad ("url", response_obj, "GET");

the ASP file checks for HTTP_REFERER to validate the origin of the call..

      IF request.servervariables("http_referer") <> "http://myurl.com/myfile.swf" then
            Response.End
      End if

sadly, the returned http_referer is empty...

I saw this also happening using PHP...

how can I get the correct data from http_referer ?

thanks
0
Comment
Question by:moshem
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 23

Accepted Solution

by:
apresto earned 500 total points
ID: 24027127
http://www.velocityreviews.com/forums/t100975-requestservervariablesquothttprefererquot-contains-nothing-why.html
Quoted from above:
"HTTP_REFERER will be empty if the user visited the site without clicking a
link. Also, it is possible that the agent is not sending the referer. Some
security software will prvent a browser from sending this.

The only reliable way to do what you want is to have affliates use a code
sent on the querystring - e.g.
www.yoursite.com/index.aspx?affiliatecode=123456. You could then either do
something with this code in your ASPX page (Like log to a DB) or analyse
your log files. The latter would require that you manually link the
affiliate code to the actual person/company, where as logging to a DB etc
could allow alot more scope, for example you could automatically reward the
affliate when the referer code got to a given value."
0
 
LVL 1

Author Comment

by:moshem
ID: 24027175
I am trying to protect from someone who will decompile the swf and get the url data from it.

if I include some sort of a token, it too will be exposed to attackers.

the only way for me to make sure the only use of the service inside the ASP page is to check where it came from and allow it to move forward.

0
 
LVL 37

Expert Comment

by:CyanBlue
ID: 24027327
I don't know what would be a valid way of solving the problem, but HTTP_REFERER should never be used to validate the user since there are ways to fake that information...

If I expand apresto's method abit further, you go to www.domain.com, the SWF calls your getToken.aspx page to receive a token which you dynamically generate, and pass that value back to validate.aspx where you will check whether it is valid or not considering all sorts of facts like the life of the token and session values and whatnots...

CyanBlue
0

Featured Post

Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Get hold of longitude and latitude in iframe string 11 60
Recordset containing single quotes 8 51
href return to normal window 5 43
Date on a table 16 44
Recently, I was asked to recommend a tracking system to be implemented on a clients website. As the entire site was built on flash, my first thought was to suggest custom built tracking system. However, our company at that point of time didn't h…
I would like to start this tip/trick by saying Thank You, to all who said that this could not be done, as it forced me to make sure that it could be accomplished. :) To start, I want to make sure everyone understands the importance of utilizing p…
The goal of the tutorial is to teach the user how to select the video input device. Make sure you have an input device that in connected and work and recognized by Adobe Flash Media Live Encoder and select it in the “video input” menu.
The goal of the tutorial is to teach the user what frame rate is, how to control it and what effect it has on the video.

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question