Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Javascript Referrer Check

Status
Not open for further replies.

BC000

Technical User
May 16, 2006
31
AU
I have a Javascript Referrer Check Script that I copied and pasted:

--------------------------------

<script>
<!--
/*Referrer Checker- By Website Abstraction
( Over 200+ free JavaScripts here!
*/

//specify valid referrals for script to accept
//if you wish an entire domain to be valid, enter that (ie: "wsabstract.com")
var validreferrals=new Array()
validreferrals[0]="

var passed=0

for (r=0;r<validreferrals.length;r++){
if (document.referrer.indexOf(validreferrals[r])!=-1){
passed=1
break
}
}

if (passed<>0){
alert("Access to the page denied! Please come through Member Menu")
history.go(-1)
}

//-->
</script>
------------------------------

Well, it works OK, if someone tries to enter the page from another url and not member's menu, but if someone just copies and pastes the url staright into the address bar of the web browser, it still works. That shouldn't be the case. If someone pastes the url straight into the address bar, it should show the propmt and not the page.

Is anyone aware of a better referrer check script?

Thanks.
 
Hi

BC000 said:
if someone just copies and pastes the url staright into the address bar of the web browser, it still works.
And also works if the visitor
[ul]
[li]opens the URL in new tab/window, where [tt]history[teal].[/teal]go[teal](-[/teal][purple]1[/purple][teal])[/teal][/tt] has nowhere to go back[/li]
[li]bookmarks the URL then visits it using the bookmark[/li]
[li]receives the URL in an e-mail and clicks it directly[/li]
[li]disables JavaScript[/li]
[li]disables sending the referrer[/li]
[li]sets a fake referrer[/li]
[li]comes from an address which contains any valid URL, like [ignore][/ignore]?something=[red][ignore][/ignore][/red]&somethingelse=nothing[/li]
[/ul]
BC000 said:
Is anyone aware of a better referrer check script?
I would first ask for a script that actually works. The one you posted will crash in Gecko, Presto, WebKit and KHTML, because no <> operator exists in JavaScript. And in case <> was used instead of [tt]!=[/tt], the logic is wrong. There should be equality check. ( Yepp, using boolean values for logical conditions, improves the readability. )

Personally I always suggest one thing : give up with the ideas to use the referrer to deny access.


Feherke.
 
I agree with Feherke, who must have a web security background ;-)

I see "cgi" in the URL there, which in the old days meant standalone executables for each page, but I assume you're actually using a framework. Can you comment on which framework you're using, and on whether that framework provides a means of securing pages via configuration information?
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top