a) Request.ServerVariables("HTTP_Referer") is populated from the data in the
HTTP Referer header that is sent by the client to the server. If there is no
data in that variable, then it is because the browser did not send any to
the server.
b) You can tamper with it easily. Here, I use telnet to "simulate" a HTTP
GET request, and populate the HTTP Referer header with any old data that I
like:
c:\>telnet
telnet>open www.yoursite.com 80
GET / HTTP/1.1
Host: www.yoursite.com
Referer: hahahahaha
[enter]
[enter]
In your logs, the referer will be "hahahahaha"
Cheers
Ken
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From: "M. H. K." <[EMAIL PROTECTED]>
Subject: Mystery behind REFERER
: Using <script>document.write ("<input type=hidden name=ref value='" +
document.referrer + "'>")</script>
:
: seems to me a better approach than
:
: Using request.ServerVariables to get the REFERER.
:
: In my experiments, I seem to get more referer on the 1st appoach compared
: to the 2nd.
:
: We know that sometimes "referer" is just not available. I don't mean the
: bookmark|favoritte origins or straight URLs or some DESKTOP situated web
: links. I mean the real mystery, that is *sometimes either the web server's
: or the browser's block this info, although there is a true REFERER.
:
: I'd like to read on this mystery. First of all, is it the servers or is it
: the browsers that block this info ? and secondly what's the most effective
: method in your experiments to get the most REFERER possible ( where there
: is a TRUE referer available )?
:
: And finally I am hearing that it is somehow possible to TAMPER the referer
: info or the serverVariables("remote_addr"), thus they should not be
: considered as valid securrity measurements. If that's true, how do they
: get to tamper this info ? There is no ASP code to make this happen. Then
: what is it ?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
---
You are currently subscribed to activeserverpages as: [email protected]
To unsubscribe send a blank email to [EMAIL PROTECTED]
