Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Browsers/blockers stopping http_referer 2

Status
Not open for further replies.

1DMF

Programmer
Jan 18, 2005
8,795
GB
Can any one tell me if there is software or browsers or indeed toolbars or plugins which would deliberately withold the HTTP_REFERER variable.

Or if there is a setting to turn this option on or off.

thanks
1DMF
 
I guess you don't understand the word MOST then!

MOST of the 64 million USERS who have downloaded it...

And if they didn't use it how would you justify that they don't hold the same opinion as me, pluck all ther figures you like out of thin air, it won't change my opinion.

I also quantified that statement with a later post saying..
I'm all for any excuse to stop people using that rubbish browser.

I couldn't care what was the software blocking the HTTP_REFERER, but if firefox does it that's good enough for me to tell my users not to use it.

It was a tongue in cheek comment that unfortuantely people like you just have to go on and on, trying to justify using FF, I've said enough about why I feel this way, if you want some sort of slanging match - use another post, I have no time for this pettyness, you obviously don't have a solution to the actual problem, which I shall remind anyone else who might find this thread...

............................
How would you authenticate if the request of a posted form was from an acceptable domain WITHOUT using HTTP_REFERER.

All help appreciated
1DMF
 
lol - it just never stops, what part of IN MY OPINION do you people not understand, I'm glad I don't have any friends that use firefox, talk about anal!
 
that's good enough for me to tell my users not to use it.

You must have a strong business sense.

-kaht

...looks like you don't have a job, so why don't you get out there and feed Tina.
headbang.gif
[rockband]
headbang.gif
 
I guess you don't understand the word MOST then!
I guess you don't understand the point of any of the post's here then. I am a user of the Internet and have downloaded Firefox. Does this mean I use it? No, it doesn't, but the fact that I get a bundled piece of software (the web browser) with my OS, yet I have taken the time to find an alternative piece of software, suggests to me that MOST of the people who download are doing so for a reason.

it won't change my opinion.
As for quotes like that, I think it shows the kind of situation we are dealing with here. If you don't want to listen to other peoples opinions who are trying to offer an opinion on a question that you started, I'm not sure how anyone here can help you.

It was a tongue in cheek comment that unfortuantely people like you just have to go on and on, trying to justify using FF
Again, read my comments properly. Not once have I said anything about the pros or cons of Firefox (I even used x, y and z as an example specifically not to show any bias towards a particular browser).


____________________________________________________________

Need help finding an answer?

Try the Search Facility or read FAQ222-2244 on how to get better results.

 
I'm having a think about your problem, not the peculiar perception of firefox :)-P) but the referer thing.

If it were me, I'd look at writing some kind of encrypted string from each domain and passing via POST then check that string against the permitted ones.

Kind of the way a car remote locking system works.


Anyway... I've got to add this, despite it being a bit off the track of the original thread.
Yes FF takes a long time to start up, for me at least as I have a ton of extensions installed. Out of the box its nippy.
I would echo the statement that, if what you develop doesn't work in FF then it's not necessarily FF that's at fault.
Just because it works in IE doens't mean it's "right".
You may well have a shock when people start using IE7 (which sticks to W3C standards a little better than IE6. This means you ahve to go back and fix stuff.

Look at it this way.
I used to have a car that had a bent torsion bar. It pulled to the right a fair bit.
This made it great for going around roundabouts, but at the end of the day, it was broken (let alone a bit dangerous).
That's IE really.

Foamcow Heavy Industries - Web design and ranting
Target Marketing Communications - Advertising, Direct Marketing and Public Relations
I wonder what possesses people to make those animated gifs. Do you just get up in the morning and think, "You know what web design r
 
As for the actual question that you posted, I'm not sure what language you are using to develop in, but my sites make sure that the user is authenticated on each secured page. The user simply wouldn't be authenticated if they created their own form to post to my page. You could try taking this approach.


____________________________________________________________

Need help finding an answer?

Try the Search Facility or read FAQ222-2244 on how to get better results.

 
Excellent analogy FoamCow, i like it, at the end of the day at least you knew your car or the torsion bar was at fault.

I have no way of telling if it's IE, FF, SP2, Norton, etc..

All I know is I have less problems using the software I choose to use than what others might prefer me to use, or think I should use.

You can't please all the people all the time and you can't write 100% compatible programs either, if MS can't do it and it's their OS, what chance do use mere mortals have.

I'm looking forward to IE7, let's see if my sites still look ok in that, though they work ok in FF as I use it for testing, i feel if it works in FF and IE, well that's my main bases covered, well apart from the forms look awfull in FF and I don't know why, let's hope IE7 doesn't change that.

Regards, and thanks for seing past all this other nonsense and posts and coming back to the question in hand.

I am trying to hold out the olive branch, honest :)
 
oh and how would i use an encrypted string, or ther mechanism to pass it to the script.

all that sits on the domain is a standard HTML form which is sent to my mail program, it authenticates by the HTTP_REFERER.

although I've had a post in the PERL forum saying that not only can the referer variable be blocked but it can also be faked!

I have no idea how you put dummy data in the referer variable, I would have thought the server dealt with this value not the client side, boy this get difficult to do such a simple thing.

maybe I need to find a virus writer or hacker, if they can hack all this security, surely they can write a decent authentication routine of use to someone!

I look forward to your possible solution

Regards,
1DMF
 
unfortunately ca8msm the form is public facing, so they do not login to get access to it.

I have no problem with my members area bit, although it's a nightmare checking they are still logged in on each request as I won't use cookies, another one of my little pet hates, I beleive in peoples security and privacy and so disagree in principle to cookies, i'd use the IP but for modem users it changes every five minutes, HTTP_REFERER is unreliable and blocked by some, it doesn't leave alot left does it [sad]
oh i'm developing using HTML, JAVASCRIPT & PERL CGI.

 
It may be a public facing form, but being authenticated doesn't necessarily mean being logged in. For example, take those random images (with a mix of numbers & letters) that a lot of sites include when creating/registering as a new user. In my applications (using ASP.NET) I use GDI+ to generate this image and ask the user to type in the value that is shown in the image. This way I know that it is not an automated script that is registering but the user is still being authenticated even though they are not logged in.


____________________________________________________________

Need help finding an answer?

Try the Search Facility or read FAQ222-2244 on how to get better results.

 
ahh - yes of course Paypal and even Hotmail use that now, good thinking, but how would I use pure HTML with JavaScript to do the same thing?

any pointers, i'd prefer to have plain HTML if possible, you see the idea is the form needs to be able to be made by anyone with just basic HTML knowledge not any other dynamic web language such as ASP, PERL, PHP etc..

you see this is a difficult one and the easiest answer is HTTP_REFERER, but we all know where that discussion took us :p
 
Not very secure but you could provide a code to each client and have them use that to generate a validation string which they include in their form POST data.
I can't explain properly right now due to pressing deadlines but think of how PGP works.

Foamcow Heavy Industries - Web design and ranting
Target Marketing Communications - Advertising, Direct Marketing and Public Relations
I wonder what possesses people to make those animated gifs. Do you just get up in the morning and think, "You know what web design r
 
no problem Foamcow, make sure you meet that deadline, before worrying over anything else.

whats PGP ? and if it's a code that would be submitted with the post data, then wouldn't that easily be obtained by anyone viewing the source code of the HTML page ?
 
I'm not sure exactly how it would be implemented but I'm sure javascript may be able to provide some kind of functionality to do it. If you search for examples using "capcha" (as I think that this is what thay technique is known as) you may come across some javascript examples.


____________________________________________________________

Need help finding an answer?

Try the Search Facility or read FAQ222-2244 on how to get better results.

 
i don't think it will solve my problem though, I will investigate and let you know how I get on.

to get a feel for what i'm doing use the link below and it might be a bit clearer.

Also view the source and check the hidden fields and post info, you will see I want the form to be as easy as possible to create with only HTML knowledge, (note any javascript i use is purely for my benefit, but not necesary to make a form work with my system.)

oh and remember it won't work if you withold http_referer, also this site has a non-compliant CSS file as I have used IE syntax for border style, so to see the form correctly I would use I.E.,.

NOTE (everyone else before you start this is a test / devel site I haven't bothered to make compliant yet, I have many other sites which I have converted and maybe one day i'll do this one, if i can find a solution to my authentication problem.)


regards,
1DMF
 
You certainly can't rely on HTTP_REFERER. Some browsers allow their users to block it, though I doubt whether many will. More to the point, firewalls and other internet security packages often include referrer blocking as one of the things they do. That means you're going to run into this problem more and more in the future.

Furthermore, this is information being sent to you by the client (it must be, or you couldn't disable it like that). As such, it's inherently unreliable. A not-particularly-skilled hacker could construct a request with a spoofed HTTP_REFERER without any great difficulty.

So, taking a step back, I've got some questions...

How critical is the security of this set-up? Are you looking to find out the source domain solely so you can apply the correct template to it, or is it important to secure the form between users? - say one client might pass themselves off as another for nefarious purposes.

Is it possible for other people to see, or to guess, the domain of a particular client?

Is this thing in the open internet, or hidden behind some password protection?

Are you talking only about a form that you're building on your site, or something that you're inviting your clients to build on theirs and then call your script?

-- Chris Hunt
Webmaster & Tragedian
Extra Connections Ltd
 
Hello chris,

The concept is this ... how many people would love to have a form that when filled out is emailed to you looking EXACTLY as the form filled out, all the images, the fields, checkboxes, selectlists, text areas everything is the same in the email received... come on everybody (well most i'll be conservative).

how many would love to have this facility without knowing a single command of any programing language whatsoever other than some simple HTML form tags.

how would you like to design a form, no programing, no java, just a simple form, put it on your website, log in to my program, paste your form code into the textbox provided, give it a form ID and hit save.

Then when your form is submitted to my CGI it reads the corresponding template, gets the data submitted, populates all the relevant fields , tick boxes, select lists etc.. with all the data, makes them readonly and then emails you the form.

You get the results of the form looking like the form used to submit the data. (I also added extra features so you can control if you want a select lists selection to be displayed as a CSV field or checkboxes).

The point is the person making the form must not have to have javascript, not know how to configure proxies, unable write CGI, know nothing about fancy graphic generating validation programs, know nothing about CGI, ASP, PHP - JUST HTML!

But still gets the power of Rich Text Format emails looking like the submitted form with all the user selected data.

Now that's a kick ass idea, my system works apart from how do I authenticate the form with the domain it is sitting on without using HTTP_REFERER?

Now do you see my problem.

maybe i'm caring too much but firslty I don't want people using my mail server to spam or using other peoples templates.

oh ive you view the source to the link I posted earlier, you will see how the respective template is selected.

I think i'm trying to do something that just isn't possible, but I beleive should be, why is this referer blocked, I have a right when someone tries to use a script or even load any page on my website to know how you got there, I'm all for users privacy, but telling be the URL that sent you is not breaching your privacy, but witholding it is denying my security.

Any thoughts?

1DMF


 
I have a right when someone tries to use a script or even load any page on my website to know how you got there

No you don't have any right at all. The VISITOR has the right to not tell you where they have been. It's none of your business what site I was at before yours.

You have the right to prevent non-authorised users from using your script/server/bandwidth. Can't deny that. But that is a different issue that you seem to be confusing.


Referer information is an optional part of an HTTP request. Some webservers won't pass the referer information anyway.

I still think the way to do this is by putting some kind of unique info into the form as a hidden field. Obviously this would be visible to anyone looking at the code, but if each "key" was written in "on the fly" by referring to a key generating script on your server then you could possibly implement some kind of ever changing, encrypted code. This code.
When the form hits your script you could check the key and decrypt it using your own key to find out whether it's legit.

As you can tell, I've not thought it through properly yet :)


Foamcow Heavy Industries - Web design and ranting
Target Marketing Communications - Advertising, Direct Marketing and Public Relations
I wonder what possesses people to make those animated gifs. Do you just get up in the morning and think, "You know what web design r
 
No you don't have any right at all. The VISITOR has the right to not tell you where they have been. It's none of your business what site I was at before yours.

lol - i find it funny, i must admit i have different views to many regarding security, privacy, etc.. on the internet.

You see there are always two sides to a coin, on the one hand you say I have no right to know what website you came from, but I have a right to know if the source was a valid one.

That leaves us with the current problem, but me knowing what site you came from is not an invasion of your privacy or rights, ONLY if i take that information and use it - then that is!

However if all i am doing is asking if the content of that variable equals a valid URL, then it is not.

So the actual solution to the problem is having that information sent but in a way that cannot be read or used only checked against a given value.

I rather see cookies more of an invasion of privacy as the website has no right to create any file with any information on my computer whatsoever, or indeed read any file.

yet cookies are widely acceptable, it's a matter of perspective.

like I say i'm not sure there is an answer that can satisfy my project requirements and meet everyone's privacy preferences.

if a dynamic encrypted key is to be the answer how would the form on the website get this key, the form page is a static HTML file.

It's funny how there are people who would withold the HTTP_REFERER because it's their privacy right, but then readily logs on to a peer to peer share program like morpheus or soulseek etc, and blatantly participate in stealing peoples software and music, ignoring copyright laws.

The internet needs to grow up a bit before we can find a happy medium that is hacker free, theft free, spyware free, virus free, spam free, scam free.

Well you have to live in hope don't you.

 
A user can opt to block cookies too. Many do.
There are privacy options in all browsers to prevent cookie writing, as you no doubt know. The web is user-centric. It's up to the user what they share about themselves. Of course a site owner my require certain criteria to be met before the user accesses their site. Such as yourself and a need to identify whether the site calling the script is valid.


However, it is an absolute invasion of privacy to know where a user came from if THEY don't wish you to. It's nothing to do with what you are using the information for. If not supplying the info means they can't use your site, then I guess that's the end of that. You can do nothing about it really except accept that some people aren't going to be able to use your script. Let them know, they can decide.

Now, from a commercial perspective it's obviously not desirable to put restrictions like this on something you want to sell to prospective clients!


Take this analogy. If you go into a store and the store owner knows where you've just been (say, Madam Gigi's Pron Emporium) and what you'd been looking at (I won't elaborate here) then would you not consider that to be an invasion of your privacy? He probably would do nothing with the info (perhaps other than simple blackmail), but the simple fact that he knows what you've been up to intrudes on your right to personal privacy.

Of course, our shopping habits are well recorded anyway by various agencies (credit cards, store cards etc) but the info is strictly controlled within the terms of a contract. When you sign up you are signing an agreement that allows them to do that.

Incidentally, while I tend to agree with your sentiments on P2P. Privacy and Copyright are two different things.

Yes the web needs to grow up. Many people are trying to help this along, such as W3C with their "Microsoft bashing spree" (incidentally, if MS followed the guidelines they initially agreed to support then there wouldn't be so much of an IE issue). Much of this "growing up" needs to be done by developers who have an unshakeble belief in their own infallibility. Just because what developer "X" does, works in his own testing environment, does not mean it's "right".


Rant over.

Now the problem at hand.
[ul]
[li]You can't use the referer info to identify that the domain calling the script is legit. It's not secure and will fail often.[/li]
[li]The servers hosting the forms do not have server side language capability (or at least the clients don't/can't use it)[/li]
[/ul]

I'm stumped for now. My "key" solution would require some kind of link to a script on your site.

Foamcow Heavy Industries - Web design and ranting
Target Marketing Communications - Advertising, Direct Marketing and Public Relations
I wonder what possesses people to make those animated gifs. Do you just get up in the morning and think, "You know what web design r
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top