Solved

ActionScript and HTTP_REFERER

Posted on 2009-03-31
3
368 Views
Last Modified: 2013-11-11
Hi,

I have an swf which calls an ASP file using

request_obj.sendAndLoad ("url", response_obj, "GET");

the ASP file checks for HTTP_REFERER to validate the origin of the call..

      IF request.servervariables("http_referer") <> "http://myurl.com/myfile.swf" then
            Response.End
      End if

sadly, the returned http_referer is empty...

I saw this also happening using PHP...

how can I get the correct data from http_referer ?

thanks
0
Comment
Question by:moshem
3 Comments
 
LVL 23

Accepted Solution

by:
apresto earned 500 total points
ID: 24027127
http://www.velocityreviews.com/forums/t100975-requestservervariablesquothttprefererquot-contains-nothing-why.html
Quoted from above:
"HTTP_REFERER will be empty if the user visited the site without clicking a
link. Also, it is possible that the agent is not sending the referer. Some
security software will prvent a browser from sending this.

The only reliable way to do what you want is to have affliates use a code
sent on the querystring - e.g.
www.yoursite.com/index.aspx?affiliatecode=123456. You could then either do
something with this code in your ASPX page (Like log to a DB) or analyse
your log files. The latter would require that you manually link the
affiliate code to the actual person/company, where as logging to a DB etc
could allow alot more scope, for example you could automatically reward the
affliate when the referer code got to a given value."
0
 
LVL 1

Author Comment

by:moshem
ID: 24027175
I am trying to protect from someone who will decompile the swf and get the url data from it.

if I include some sort of a token, it too will be exposed to attackers.

the only way for me to make sure the only use of the service inside the ASP page is to check where it came from and allow it to move forward.

0
 
LVL 37

Expert Comment

by:CyanBlue
ID: 24027327
I don't know what would be a valid way of solving the problem, but HTTP_REFERER should never be used to validate the user since there are ways to fake that information...

If I expand apresto's method abit further, you go to www.domain.com, the SWF calls your getToken.aspx page to receive a token which you dynamically generate, and pass that value back to validate.aspx where you will check whether it is valid or not considering all sorts of facts like the life of the token and session values and whatnots...

CyanBlue
0

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Age between date range query (SP) 13 70
sql to convert to date IF entry is in date format 4 94
HTML 5 video and audio or Flash 1 61
key press alert 2 32
While working over numerous projects I often had the requirement for doing a screen capture in AS3.0. Unfortunately I found no "ready made" solutions in google search that suited my requirements. But I did come across some great resources which help…
The last time I worked with Flash and Socket connections was in AS1. A recent project required flash connecting to a Socket, and sending receiving information - we figured it would be easy enough - we all know about the socket policy documents and c…
The goal of the tutorial is to teach the user how to live broadcast using Flash Media Live Encoder and connecting it to YouTube to broadcast. Log into your Youtube account, choose live stream settings, start live stream from Flash Media Live Enc…
The goal of the tutorial is to teach the user how to select the video input device. Make sure you have an input device that in connected and work and recognized by Adobe Flash Media Live Encoder and select it in the “video input” menu.

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question