Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 389
  • Last Modified:

ActionScript and HTTP_REFERER

Hi,

I have an swf which calls an ASP file using

request_obj.sendAndLoad ("url", response_obj, "GET");

the ASP file checks for HTTP_REFERER to validate the origin of the call..

      IF request.servervariables("http_referer") <> "http://myurl.com/myfile.swf" then
            Response.End
      End if

sadly, the returned http_referer is empty...

I saw this also happening using PHP...

how can I get the correct data from http_referer ?

thanks
0
moshem
Asked:
moshem
1 Solution
 
aprestoCommented:
http://www.velocityreviews.com/forums/t100975-requestservervariablesquothttprefererquot-contains-nothing-why.html
Quoted from above:
"HTTP_REFERER will be empty if the user visited the site without clicking a
link. Also, it is possible that the agent is not sending the referer. Some
security software will prvent a browser from sending this.

The only reliable way to do what you want is to have affliates use a code
sent on the querystring - e.g.
www.yoursite.com/index.aspx?affiliatecode=123456. You could then either do
something with this code in your ASPX page (Like log to a DB) or analyse
your log files. The latter would require that you manually link the
affiliate code to the actual person/company, where as logging to a DB etc
could allow alot more scope, for example you could automatically reward the
affliate when the referer code got to a given value."
0
 
moshemAuthor Commented:
I am trying to protect from someone who will decompile the swf and get the url data from it.

if I include some sort of a token, it too will be exposed to attackers.

the only way for me to make sure the only use of the service inside the ASP page is to check where it came from and allow it to move forward.

0
 
CyanBlueCommented:
I don't know what would be a valid way of solving the problem, but HTTP_REFERER should never be used to validate the user since there are ways to fake that information...

If I expand apresto's method abit further, you go to www.domain.com, the SWF calls your getToken.aspx page to receive a token which you dynamically generate, and pass that value back to validate.aspx where you will check whether it is valid or not considering all sorts of facts like the life of the token and session values and whatnots...

CyanBlue
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now