Re: HttpResponseRedirect(request.META["HTTP_REFERER"])
dijxtra wrote: > Is it safe to use HttpResponseRedirect(request.META["HTTP_REFERER"])? > Can a session be stolen using this coed by spoofing HTTP_REFERER? Two things stand out to me: 1) HTTP_REFERER is not a required header, so if the browser doesn't send it, your code won't do what you expect. I'd use DEFAULT_URL = 'http://example.com/wherever/' destination = request.META.get('HTTP_REFERER', DEFAULT_URL) People strip it out for privacy, spoof it intentionally, and not all proxy servers forward the HTTP_REFERER (or do it correctly). It's user-originated data, so not to be trusted. :) 2) while it's not session-stealing, it might be possible for an attacker to set up phishing sites that look like your site that can be directed through your page. It might be possible to have this information leaked to the phishing site(I'd look first at sensitive information in the GET parameters) if they're redirected back to the phishing site. As such, I'd have my code assert that the destination begins with the expected URL prefix, something like MY_BASE_URL = 'http://example.com/' # trailing slash important if destination.startswith(MY_BASE_URL): return HttpResponseRedirect(destination) else: return handle_spoofed_http_referer(destination) I don't believe it can be used to steal a session unless there are other pages on your domain that you don't trust :) This would be a scenario something like http://example.com/mysite/ http://example.com/evil_site/ If that's the case, get a better host that doesn't house malevolent characters in a shared domain :) I believe session information is usually stored in cookies (whether database backed, or signed-cookie-content backed), and browsers shouldn't send cookies to the wrong domain. So it boils down to basic common-sense internet cautions: 1) don't trust it, but use it for convenience after validating it 2) don't put sensitive information in your GET params 3) do host on a decent provider that doesn't do stupid stuff There might be other issues, but they've neither crossed my radar before, nor turned up in a short google regarding HTTP_REFERER security issues. -tim --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
HttpResponseRedirect(request.META["HTTP_REFERER"])
Is it safe to use HttpResponseRedirect(request.META["HTTP_REFERER"])? Can a session be stolen using this coed by spoofing HTTP_REFERER? Thanks in advance, nick --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: HTTP_REFERER
Pythoni schreef: > I would like to use HTTP_REFERER in my Django project to find out from > where users came to my website. So, my first page is INDEX.HTML that > uses > def Index(request) procedure. > In this def Index(request) I use > request.META['REMOTE_ADDR'] > but I found out that Referer does not work. > HTTP_REFERER is empty. > Is HTTP_REFERER value transfered between different domains? > Thank you for help > L. I had the same problem. HTTP_REFERER was set when using Firefox yet IE didn't play with HTTP_REFERER. My solution was to keep track of the history of pages myself. I made functions to get and set the history. I add pages to a queue like object and when i want to return to a previous page, i do this by getting the latest added link and go back to there. It works but i would also have rather used HTTP_REFERER. Regards, Benedict --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: HTTP_REFERER
Pythoni napisał(a): > I would like to use HTTP_REFERER in my Django project to find out from > where users came to my website. So, my first page is INDEX.HTML that > uses > def Index(request) procedure. > In this def Index(request) I use > request.META['REMOTE_ADDR'] > but I found out that Referer does not work. > HTTP_REFERER is empty. > Is HTTP_REFERER value transfered between different domains? > Thank you for help > L. It works for me on the dev server and mod_python. Note that HTTP_REFERER doesn't always have a value. Also browser settings may affect it (may not send the referer in the header ) --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
HTTP_REFERER
I would like to use HTTP_REFERER in my Django project to find out from where users came to my website. So, my first page is INDEX.HTML that uses def Index(request) procedure. In this def Index(request) I use request.META['REMOTE_ADDR'] but I found out that Referer does not work. HTTP_REFERER is empty. Is HTTP_REFERER value transfered between different domains? Thank you for help L. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: HTTP_REFERER isn't set using Explorer
ringemup schreef: Julio's hit it on the nose. Not ot mention that Firefox actually has a hidden setting for that too, and some proxies (including AOL's) also block referrers. You might be best off explicitly passing the URL of the current page as a parameter. I still find it strange that only Explorer is affected and that Firefox handles everything ok. Anyway, i'll try and implement it as a parameter. Thanks for the info, Benedict --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: HTTP_REFERER isn't set using Explorer
Julio's hit it on the nose. Not ot mention that Firefox actually has a hidden setting for that too, and some proxies (including AOL's) also block referrers. You might be best off explicitly passing the URL of the current page as a parameter. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: HTTP_REFERER isn't set using Explorer
On 1/4/07, Benedict Verheyen <[EMAIL PROTECTED]> wrote: Hi, This is what goes wrong in explorer: the HTTP_REFERER isn't set. With Firefox, the HTTP_REFERER is set. Any idea how i can solve this? I had this problem with a client that was running Norton and somewhere in the program preferences there's an option to disable the browser referer. This is not exactly the name of the option, you'll have to search for it. Maybe there's some application blocking, specially if there's one installed that has privacy settings. -- Julio Nobrega - http://www.inerciasensorial.com.br --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
HTTP_REFERER isn't set using Explorer
Hi, I have a table where i want the users to be able to edit cells by clicking on them. Then they get the usual edit view and after the changes are saved, they are redirected back to the table view. I use this in my template: It works for Firefox but unfortunately we use Explorer here and Explorer doesn't work. In the edit view i have a system where i keep track of the referrer so i can redirect the user back to the correct page: page = request.META["HTTP_REFERER"] history[1] = history[0] history[0] = page This is what goes wrong in explorer: the HTTP_REFERER isn't set. With Firefox, the HTTP_REFERER is set. I tried to solve it by using a javascript function in the template that explicitly sets the document.referrer. The td code then looks like this: onclick="edit({{patient.id}})"> The javascript function: {% block extrahead %} // Only script specific to this form goes here. // General-purpose routines are in a separate file. function edit(id) { document.referrer=window.location; window.location='/patient/edit/id/' }; {% endblock %} Unfortunately, this doesn't work for both Firefox and Explorer. In Firefox the clicking doesn't work, in Explorer, the click doesn't work and gives an error. (runtime error on the document.referrer=window.location; line) Any idea how i can solve this? Thanks, Benedict --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: HTTP_REFERER
Thank you Andreas and Luke for help and explanation Regards, L.
Re: HTTP_REFERER
On Sat, 05 Nov 2005 03:04:27 -0800 PythonistL wrote: > > I use the following view for user's log in > ### > def MyLogin(request): > WrongID=0 > AllGood=1 > if request.POST: > print "Refferer1 from POST",Refferer1 At this point, you haven't yet set Referrer1, so it will throw an exception. I've tested it and request.META['HTTP_REFERER'] always does have the referer as it ought, but if there is no referer header it will throw a KeyError, so you need to do something like this: referer = request.META.get('HTTP_REFERER', None) You should also note that the header can be forged, and some people have it turned off for privacy reasons, so I wouldn't rely on it being there. It is not reliably present, and not reliable if present. Luke -- "I regret I wasn't born with opposable toes." (Calvin and Hobbes) Luke Plant || L.Plant.98 (at) cantab.net || http://lukeplant.me.uk/
Re: HTTP_REFERER
PythonistL wrote: > Can anybody explain WHY the value from GET part > (command on line 15 such as > Refferer1= request.META['HTTP_REFERER'] > ) is not saved to POST? request.POST contains only the variables POSTed by the user. You'll have to make sure that the referer variable is part of your form if you want to use it after form submission. You could, for example, change your last line to return render_to_response('board/LoginForm', {'form':form, 'ref':request.META['HTTP_REFERER']}) and render {{ ref }} as the value of a hidden input field in your login form. Thus request.POST['ref'] will contain the referer. Andreas
HTTP_REFERER
I use the following view for user's log in ### def MyLogin(request): WrongID=0 AllGood=1 if request.POST: print "Refferer1 from POST",Refferer1 try: u=users.get_object(Login__exact=request.POST['Login']) except users.UserDoesNotExist: WrongID=1 if not WrongID and (u.Password==request.POST['Password']): return render_to_response('board/SuccessfulLogin', {'u': u}) else: return HttpResponse("Wrong ID or a password.") else:#first GET the LoginForm Refferer1= request.META['HTTP_REFERER'] print "Refferer1 from GET",Refferer1 manipulator = users.AddManipulator() errors = new_data = {} form = formfields.FormWrapper(manipulator, new_data, errors) return render_to_response('board/LoginForm', {'form':form}) ### and I would like to check 'HTTP_REFERER' so I use Refferer1= request.META['HTTP_REFERER'] on line 15. I want to use the same 'HTTP_REFERER' value I got from GET, in POST part too ( line 5), but it is empty on line 5. The value is not saved from GET ( line 15). Can anybody explain WHY the value from GET part (command on line 15 such as Refferer1= request.META['HTTP_REFERER'] ) is not saved to POST? Thank you L.