Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Javascript Referrer Check

Status
Not open for further replies.
BC000

BC000

Technical User
May 16, 2006
31
AU
I have a Javascript Referrer Check Script that I copied and pasted:

--------------------------------

<script>
<!--
/*Referrer Checker- By Website Abstraction
( Over 200+ free JavaScripts here!
*/

//specify valid referrals for script to accept
//if you wish an entire domain to be valid, enter that (ie: "wsabstract.com")
var validreferrals=new Array()
validreferrals[0]="

var passed=0

for (r=0;r<validreferrals.length;r++){
if (document.referrer.indexOf(validreferrals[r])!=-1){
passed=1
break
}
}

if (passed<>0){
alert("Access to the page denied! Please come through Member Menu")
history.go(-1)
}

//-->
</script>
------------------------------

Well, it works OK, if someone tries to enter the page from another url and not member's menu, but if someone just copies and pastes the url staright into the address bar of the web browser, it still works. That shouldn't be the case. If someone pastes the url straight into the address bar, it should show the propmt and not the page.

Is anyone aware of a better referrer check script?

Thanks.
 
Sort by date Sort by votes
Hi

BC000 said:
if someone just copies and pastes the url staright into the address bar of the web browser, it still works.
Click to expand...
And also works if the visitor
[ul]
[li]opens the URL in new tab/window, where [tt]history[teal].[/teal]go[teal](-[/teal][purple]1[/purple][teal])[/teal][/tt] has nowhere to go back[/li]
[li]bookmarks the URL then visits it using the bookmark[/li]
[li]receives the URL in an e-mail and clicks it directly[/li]
[li]disables JavaScript[/li]
[li]disables sending the referrer[/li]
[li]sets a fake referrer[/li]
[li]comes from an address which contains any valid URL, like [ignore][/ignore]?something=[red][ignore][/ignore][/red]&somethingelse=nothing[/li]
[/ul]
BC000 said:
Is anyone aware of a better referrer check script?
Click to expand...
I would first ask for a script that actually works. The one you posted will crash in Gecko, Presto, WebKit and KHTML, because no <> operator exists in JavaScript. And in case <> was used instead of [tt]!=[/tt], the logic is wrong. There should be equality check. ( Yepp, using boolean values for logical conditions, improves the readability. )

Personally I always suggest one thing : give up with the ideas to use the referrer to deny access.


Feherke.
 
Upvote 0 Downvote
I agree with Feherke, who must have a web security background ;-)

I see "cgi" in the URL there, which in the old days meant standalone executables for each page, but I assume you're actually using a framework. Can you comment on which framework you're using, and on whether that framework provides a means of securing pages via configuration information?
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

lexer
  • Locked
  • Question
Passing fields from (html-JavaScript) table to JavaScript Function
Replies
0
Views
318
lexer
lexer
Mike Lewis
  • Locked
  • Question
Anyone here got any experience of Grid.JS (a sortable Javascript grid) 1
Replies
5
Views
733
Mike Lewis
Mike Lewis
JScannell
  • Locked
  • Question
Javascript events
Replies
1
Views
167
Daniel K
Daniel K
JScannell
  • Locked
  • Question
Javascript issue on iPhone/iMac platforms
Replies
0
Views
296
JScannell
JScannell
JScannell
  • Locked
  • Question
Google Chrome doesn't load my javascript files
Replies
1
Views
262
JScannell
JScannell

Part and Inventory Search

Sponsor

Back
Top