Solved

ActionScript and HTTP_REFERER

Posted on 2009-03-31
3
367 Views
Last Modified: 2013-11-11
Hi,

I have an swf which calls an ASP file using

request_obj.sendAndLoad ("url", response_obj, "GET");

the ASP file checks for HTTP_REFERER to validate the origin of the call..

      IF request.servervariables("http_referer") <> "http://myurl.com/myfile.swf" then
            Response.End
      End if

sadly, the returned http_referer is empty...

I saw this also happening using PHP...

how can I get the correct data from http_referer ?

thanks
0
Comment
Question by:moshem
3 Comments
 
LVL 23

Accepted Solution

by:
apresto earned 500 total points
ID: 24027127
http://www.velocityreviews.com/forums/t100975-requestservervariablesquothttprefererquot-contains-nothing-why.html
Quoted from above:
"HTTP_REFERER will be empty if the user visited the site without clicking a
link. Also, it is possible that the agent is not sending the referer. Some
security software will prvent a browser from sending this.

The only reliable way to do what you want is to have affliates use a code
sent on the querystring - e.g.
www.yoursite.com/index.aspx?affiliatecode=123456. You could then either do
something with this code in your ASPX page (Like log to a DB) or analyse
your log files. The latter would require that you manually link the
affiliate code to the actual person/company, where as logging to a DB etc
could allow alot more scope, for example you could automatically reward the
affliate when the referer code got to a given value."
0
 
LVL 1

Author Comment

by:moshem
ID: 24027175
I am trying to protect from someone who will decompile the swf and get the url data from it.

if I include some sort of a token, it too will be exposed to attackers.

the only way for me to make sure the only use of the service inside the ASP page is to check where it came from and allow it to move forward.

0
 
LVL 37

Expert Comment

by:CyanBlue
ID: 24027327
I don't know what would be a valid way of solving the problem, but HTTP_REFERER should never be used to validate the user since there are ways to fake that information...

If I expand apresto's method abit further, you go to www.domain.com, the SWF calls your getToken.aspx page to receive a token which you dynamically generate, and pass that value back to validate.aspx where you will check whether it is valid or not considering all sorts of facts like the life of the token and session values and whatnots...

CyanBlue
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
SMS AddAttachment Protocol Error Classic ASP 10 43
API works for 1 result, need to make it many 30 83
Question about ASP Including Files 6 59
key press alert 2 18
There are times in your Flash CS4 application when you want more than a simple pointer or a hand, and it's hard to find an ideal walk-through to tell you what to do.  I spent a few days recently learning my way around making custom cursors in Flash,…
Have you ever needed to get an ASP script to wait for a while? I have, just to let something else happen. Or in my case, to allow other stuff to happen while I was murdering my MySQL database with an update. The Original Issue This was written…
The goal of the tutorial is to teach the user how to how to load their YouTube profile onto Flash Media Live Encoder.
The goal of the tutorial is to teach the user how to use the auto adjust feature and what the different options do. When your video is not working right you can choose the auto adjust feature to help choose your settings.

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question