mailing list archives
RE: HTTPS redirections
From: <whip () netspace net au>
Date: Sat, 25 Aug 2007 11:46:02 +1000
Just be aware, that the referer can be forged fairly easily - don't rely on
it for any kind of security or authentication.
Basically, never trust the client (in this case, the browser).
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Jason Ross
Sent: Saturday, 25 August 2007 7:13 AM
To: anthony () synt3gra com
Cc: security-basics () securityfocus com
Subject: Re: HTTPS redirections
On 8/24/07, anthony () synt3gra com <anthony () synt3gra com> wrote:
I have noticed how some websites only allow access to a particular
page if a link within the page has been 'clicked' ie. user cannot
paste link address in browser bar to get to desired page.
For security purposes I would like to create a script and achieve
I believe that (at least one way) this is done is by checking the
referer header. In PHP this can be accessed via the predefined
variable: $_SERVER['HTTP_REFERER'], other languages should have
similar methods of obtaining this.
AFAIK, there is not a difference between HTTP and HTTPS as far as
this method is concerned.