Solved

ActionScript and HTTP_REFERER

Posted on 2009-03-31
3
375 Views
Last Modified: 2013-11-11
Hi,

I have an swf which calls an ASP file using

request_obj.sendAndLoad ("url", response_obj, "GET");

the ASP file checks for HTTP_REFERER to validate the origin of the call..

      IF request.servervariables("http_referer") <> "http://myurl.com/myfile.swf" then
            Response.End
      End if

sadly, the returned http_referer is empty...

I saw this also happening using PHP...

how can I get the correct data from http_referer ?

thanks
0
Comment
Question by:moshem
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 23

Accepted Solution

by:
apresto earned 500 total points
ID: 24027127
http://www.velocityreviews.com/forums/t100975-requestservervariablesquothttprefererquot-contains-nothing-why.html
Quoted from above:
"HTTP_REFERER will be empty if the user visited the site without clicking a
link. Also, it is possible that the agent is not sending the referer. Some
security software will prvent a browser from sending this.

The only reliable way to do what you want is to have affliates use a code
sent on the querystring - e.g.
www.yoursite.com/index.aspx?affiliatecode=123456. You could then either do
something with this code in your ASPX page (Like log to a DB) or analyse
your log files. The latter would require that you manually link the
affiliate code to the actual person/company, where as logging to a DB etc
could allow alot more scope, for example you could automatically reward the
affliate when the referer code got to a given value."
0
 
LVL 1

Author Comment

by:moshem
ID: 24027175
I am trying to protect from someone who will decompile the swf and get the url data from it.

if I include some sort of a token, it too will be exposed to attackers.

the only way for me to make sure the only use of the service inside the ASP page is to check where it came from and allow it to move forward.

0
 
LVL 37

Expert Comment

by:CyanBlue
ID: 24027327
I don't know what would be a valid way of solving the problem, but HTTP_REFERER should never be used to validate the user since there are ways to fake that information...

If I expand apresto's method abit further, you go to www.domain.com, the SWF calls your getToken.aspx page to receive a token which you dynamically generate, and pass that value back to validate.aspx where you will check whether it is valid or not considering all sorts of facts like the life of the token and session values and whatnots...

CyanBlue
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I come across a lot of question about how to access things in the document class from a movieclip, or accessing something from a movieclip in the document class. It took me a while to figure this out but once I did it makes life so much easier. …
The last time I worked with Flash and Socket connections was in AS1. A recent project required flash connecting to a Socket, and sending receiving information - we figured it would be easy enough - we all know about the socket policy documents and c…
The goal of the tutorial is to teach the user how to set there setting in Adobe Flash Media Live Encoder and YouTube for optimal video and audio quality.
The goal of the tutorial is to teach the user what frame rate is, how to control it and what effect it has on the video.

615 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question