Re: HttpResponseRedirect(request.META["HTTP_REFERER"])
dijxtra wrote:
> Is it safe to use HttpResponseRedirect(request.META["HTTP_REFERER"])?
> Can a session be stolen using this coed by spoofing HTTP_REFERER?
Two things stand out to me:
1) HTTP_REFERER is not a required header, so if the browser
doesn't send it, your code won't do what you expect. I'd use
DEFAULT_URL = 'http://example.com/wherever/'
destination = request.META.get('HTTP_REFERER', DEFAULT_URL)
People strip it out for privacy, spoof it intentionally, and not
all proxy servers forward the HTTP_REFERER (or do it correctly).
It's user-originated data, so not to be trusted. :)
2) while it's not session-stealing, it might be possible for an
attacker to set up phishing sites that look like your site that
can be directed through your page. It might be possible to have
this information leaked to the phishing site(I'd look first at
sensitive information in the GET parameters) if they're
redirected back to the phishing site. As such, I'd have my code
assert that the destination begins with the expected URL prefix,
something like
MY_BASE_URL = 'http://example.com/' # trailing slash important
if destination.startswith(MY_BASE_URL):
return HttpResponseRedirect(destination)
else:
return handle_spoofed_http_referer(destination)
I don't believe it can be used to steal a session unless there
are other pages on your domain that you don't trust :) This
would be a scenario something like
http://example.com/mysite/
http://example.com/evil_site/
If that's the case, get a better host that doesn't house
malevolent characters in a shared domain :) I believe session
information is usually stored in cookies (whether database
backed, or signed-cookie-content backed), and browsers shouldn't
send cookies to the wrong domain.
So it boils down to basic common-sense internet cautions:
1) don't trust it, but use it for convenience after validating it
2) don't put sensitive information in your GET params
3) do host on a decent provider that doesn't do stupid stuff
There might be other issues, but they've neither crossed my radar
before, nor turned up in a short google regarding HTTP_REFERER
security issues.
-tim
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to
django-users+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en
-~--~~~~--~~--~--~---
HttpResponseRedirect(request.META["HTTP_REFERER"])
Is it safe to use HttpResponseRedirect(request.META["HTTP_REFERER"])? Can a session be stolen using this coed by spoofing HTTP_REFERER? Thanks in advance, nick --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: HTTP_REFERER
Pythoni schreef: > I would like to use HTTP_REFERER in my Django project to find out from > where users came to my website. So, my first page is INDEX.HTML that > uses > def Index(request) procedure. > In this def Index(request) I use > request.META['REMOTE_ADDR'] > but I found out that Referer does not work. > HTTP_REFERER is empty. > Is HTTP_REFERER value transfered between different domains? > Thank you for help > L. I had the same problem. HTTP_REFERER was set when using Firefox yet IE didn't play with HTTP_REFERER. My solution was to keep track of the history of pages myself. I made functions to get and set the history. I add pages to a queue like object and when i want to return to a previous page, i do this by getting the latest added link and go back to there. It works but i would also have rather used HTTP_REFERER. Regards, Benedict --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: HTTP_REFERER
Pythoni napisał(a): > I would like to use HTTP_REFERER in my Django project to find out from > where users came to my website. So, my first page is INDEX.HTML that > uses > def Index(request) procedure. > In this def Index(request) I use > request.META['REMOTE_ADDR'] > but I found out that Referer does not work. > HTTP_REFERER is empty. > Is HTTP_REFERER value transfered between different domains? > Thank you for help > L. It works for me on the dev server and mod_python. Note that HTTP_REFERER doesn't always have a value. Also browser settings may affect it (may not send the referer in the header ) --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
HTTP_REFERER
I would like to use HTTP_REFERER in my Django project to find out from where users came to my website. So, my first page is INDEX.HTML that uses def Index(request) procedure. In this def Index(request) I use request.META['REMOTE_ADDR'] but I found out that Referer does not work. HTTP_REFERER is empty. Is HTTP_REFERER value transfered between different domains? Thank you for help L. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: HTTP_REFERER isn't set using Explorer
ringemup schreef: Julio's hit it on the nose. Not ot mention that Firefox actually has a hidden setting for that too, and some proxies (including AOL's) also block referrers. You might be best off explicitly passing the URL of the current page as a parameter. I still find it strange that only Explorer is affected and that Firefox handles everything ok. Anyway, i'll try and implement it as a parameter. Thanks for the info, Benedict --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: HTTP_REFERER isn't set using Explorer
Julio's hit it on the nose. Not ot mention that Firefox actually has a hidden setting for that too, and some proxies (including AOL's) also block referrers. You might be best off explicitly passing the URL of the current page as a parameter. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: HTTP_REFERER isn't set using Explorer
On 1/4/07, Benedict Verheyen <[EMAIL PROTECTED]> wrote: Hi, This is what goes wrong in explorer: the HTTP_REFERER isn't set. With Firefox, the HTTP_REFERER is set. Any idea how i can solve this? I had this problem with a client that was running Norton and somewhere in the program preferences there's an option to disable the browser referer. This is not exactly the name of the option, you'll have to search for it. Maybe there's some application blocking, specially if there's one installed that has privacy settings. -- Julio Nobrega - http://www.inerciasensorial.com.br --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
HTTP_REFERER isn't set using Explorer
Hi,
I have a table where i want the users to be able to edit
cells by clicking on them. Then they get the usual edit view
and after the changes are saved, they are redirected back
to the table view.
I use this in my template:
It works for Firefox but unfortunately we use Explorer here
and Explorer doesn't work.
In the edit view i have a system where i keep track of the
referrer so i can redirect the user back to the correct page:
page = request.META["HTTP_REFERER"]
history[1] = history[0]
history[0] = page
This is what goes wrong in explorer: the HTTP_REFERER isn't set.
With Firefox, the HTTP_REFERER is set.
I tried to solve it by using a javascript function in the template
that explicitly sets the document.referrer.
The td code then looks like this:
onclick="edit({{patient.id}})">
The javascript function:
{% block extrahead %}
// Only script specific to this form goes here.
// General-purpose routines are in a separate file.
function edit(id) {
document.referrer=window.location;
window.location='/patient/edit/id/'
};
{% endblock %}
Unfortunately, this doesn't work for both Firefox and Explorer.
In Firefox the clicking doesn't work, in Explorer, the click doesn't work
and gives an error. (runtime error on the
document.referrer=window.location; line)
Any idea how i can solve this?
Thanks,
Benedict
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups "Django
users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en
-~--~~~~--~~--~--~---
Re: HTTP_REFERER
Thank you Andreas and Luke for help and explanation Regards, L.
Re: HTTP_REFERER
On Sat, 05 Nov 2005 03:04:27 -0800 PythonistL wrote:
>
> I use the following view for user's log in
> ###
> def MyLogin(request):
> WrongID=0
> AllGood=1
> if request.POST:
> print "Refferer1 from POST",Refferer1
At this point, you haven't yet set Referrer1, so it will throw an
exception. I've tested it and request.META['HTTP_REFERER'] always does
have the referer as it ought, but if there is no referer header it will
throw a KeyError, so you need to do something like this:
referer = request.META.get('HTTP_REFERER', None)
You should also note that the header can be forged, and some people
have it turned off for privacy reasons, so I wouldn't rely on it being
there. It is not reliably present, and not reliable if present.
Luke
--
"I regret I wasn't born with opposable toes." (Calvin and Hobbes)
Luke Plant || L.Plant.98 (at) cantab.net || http://lukeplant.me.uk/
Re: HTTP_REFERER
PythonistL wrote:
> Can anybody explain WHY the value from GET part
> (command on line 15 such as
> Refferer1= request.META['HTTP_REFERER']
> ) is not saved to POST?
request.POST contains only the variables POSTed by the user. You'll
have to make sure that the referer variable is part of your form if you
want to use it after form submission.
You could, for example, change your last line to
return render_to_response('board/LoginForm',
{'form':form, 'ref':request.META['HTTP_REFERER']})
and render {{ ref }} as the value of a hidden input field in your login
form. Thus request.POST['ref'] will contain the referer.
Andreas
HTTP_REFERER
I use the following view for user's log in
###
def MyLogin(request):
WrongID=0
AllGood=1
if request.POST:
print "Refferer1 from POST",Refferer1
try:
u=users.get_object(Login__exact=request.POST['Login'])
except users.UserDoesNotExist:
WrongID=1
if not WrongID and (u.Password==request.POST['Password']):
return render_to_response('board/SuccessfulLogin', {'u':
u})
else:
return HttpResponse("Wrong ID or a password.")
else:#first GET the LoginForm
Refferer1= request.META['HTTP_REFERER']
print "Refferer1 from GET",Refferer1
manipulator = users.AddManipulator()
errors = new_data = {}
form = formfields.FormWrapper(manipulator, new_data,
errors)
return render_to_response('board/LoginForm', {'form':form})
###
and I would like to check 'HTTP_REFERER' so I use
Refferer1= request.META['HTTP_REFERER']
on line 15.
I want to use the same 'HTTP_REFERER' value I got from GET, in POST
part too ( line 5), but it is empty on line 5. The value is not saved
from GET ( line 15).
Can anybody explain WHY the value from GET part
(command on line 15 such as
Refferer1= request.META['HTTP_REFERER']
)
is not saved to POST?
Thank you
L.
