[thelist] Recommended use of HTTP_REFERER?

John.Brooking at sappi.com John.Brooking at sappi.com
Fri Oct 24 12:13:57 CDT 2003


Howdy, gang,

   You often see in some CGI scripts (I've seen it in Perl, but maybe others
too) a check of the HTTP_REFERER variable. Ostensibly, this is to ensure
that people are only using your script from your own site, which seems like
a good idea. You don't want a lot of other sites, not to mention crackers,
making requests of your scripts for their own purposes.

   Two problems that I know about with this: (1) A cracker with a
programmable HTTP client can set the HTTP_REFERER to whatever s/he wants, so
like all client data, it is not really trustworthy. (2) Some clients may not
send HTTP_REFERER at all. I know of one personal firewall product (Norton)
which has an option to not send it, and optionally send in it's place an
encrypted string called HTTP_WEFERER [1], [2]. Some people may wish to keep
this setting on for privacy or security reasons.

   In terms of how else to control access to your CGI scripts, I suppose the
answer is to require current session id, or possibly a cookie, which is only
available from your site.

   Question 1) Is that the recommended way of controlling access to your
site's scripts?

   Question 2) If not, what is?

   Question 3) Is there really any reason for HTTP_REFERER to exist, if it
is not dependable?

   Thanks for any advice.

- John

References:
[1] http://www.webmasterworld.com/forum10/1209.htm
<http://www.webmasterworld.com/forum10/1209.htm>  
[2] http://www.webmasterworld.com/forum10/964.htm
<http://www.webmasterworld.com/forum10/964.htm> 

Automatically-appended company disclaimer follows:

This message may contain information which is private, privileged or
confidential and is intended solely for the use of the individual or entity
named in the message. If you are not the intended recipient of this message,
please notify the sender thereof and destroy / delete the message. Neither
the sender nor Sappi Limited (including its subsidiaries and associated
companies) shall incur any liability resulting directly or indirectly from
accessing any of the attached files which may contain a virus or the like. 


More information about the thelist mailing list