Relying on the integrity of HTTP_REFERER is simply a bad idea.
End user tools such as the RefControl plugin for Firefox make it easy
for anyone to spoof the referer.
I am aware of a handful of news subscription websites (which shall not
be listed here) that restrict their content to paying customers.
However, to boost rankings in the search engines, the websites make a
page of premium content available through news aggregators like
news.google.com. As a result, the websites gain free publicity and allow
users to sample one article. Clicking any deeper results in redirection
to a subscription page. How is this done? HTTP_REFERER based
authentication. Set one's referer to "news.google.com" and voila...
free premium access to the entire website. If anyone asks, you didn't
hear this from me :)
The HTTP_REFERER is a poor source for authentication and should not be
used for such purposes.
~Rolan
Joseph Crawford wrote:
Guys,
I know that HTTP_REFERER is not always accurate or even set. There
are also ways for people to fake that value. I tend not to rely on
that much however what i need to do is this.
We have a file called spy.php that will return data to the browser if
the sitekey is found in our database. This data is to be used by
members so they can show statistics on their site. However to be sure
that it was the correct sitekey i was also checking the referer domain
against the domain stored in the database. Is there a better way to
do this? I do not want someone to be able to display the stats for
another site on theirs.
Is there a way to do this or should i just base it on the sitekey and
if it is valid return the stats for that particular site. The sitekey
is an md5 hash.
Thanks,
_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com
Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php
