moshem
asked on
ActionScript and HTTP_REFERER
Hi,
I have an swf which calls an ASP file using
request_obj.sendAndLoad ("url", response_obj, "GET");
the ASP file checks for HTTP_REFERER to validate the origin of the call..
IF request.servervariables("h
Response.End
End if
sadly, the returned http_referer is empty...
I saw this also happening using PHP...
how can I get the correct data from http_referer ?
thanks
I have an swf which calls an ASP file using
request_obj.sendAndLoad ("url", response_obj, "GET");
the ASP file checks for HTTP_REFERER to validate the origin of the call..
IF request.servervariables("h
Response.End
End if
sadly, the returned http_referer is empty...
I saw this also happening using PHP...
how can I get the correct data from http_referer ?
thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I don't know what would be a valid way of solving the problem, but HTTP_REFERER should never be used to validate the user since there are ways to fake that information...
If I expand apresto's method abit further, you go to www.domain.com, the SWF calls your getToken.aspx page to receive a token which you dynamically generate, and pass that value back to validate.aspx where you will check whether it is valid or not considering all sorts of facts like the life of the token and session values and whatnots...
CyanBlue
If I expand apresto's method abit further, you go to www.domain.com, the SWF calls your getToken.aspx page to receive a token which you dynamically generate, and pass that value back to validate.aspx where you will check whether it is valid or not considering all sorts of facts like the life of the token and session values and whatnots...
CyanBlue
ASKER
if I include some sort of a token, it too will be exposed to attackers.
the only way for me to make sure the only use of the service inside the ASP page is to check where it came from and allow it to move forward.