Page 1 of 1
PHP http_referer Internet Explorer 7
Posted: Fri Nov 10, 2006 4:14 pm
by waradmin
Alright so it seems that Internet Explorer 7 does not send referer data thus when using $_SERVER['HTTP_REFERER'] you always recieve a value of "". So basicly websites like mine that check form input using http_referer are no longer functioning. What is another way to check that a form was submited from a desired source without using referer?
I thought about using a hidden field, but because firefox reveals hidden fields and their values, it would prove to be a worthless attempt to secure a form. Any thoughts on how to secure a form without using referer?
Posted: Fri Nov 10, 2006 4:16 pm
by feyd
Tokens are used quite often, but can suffer from injection as you've stated. Sessions can be used as well. Much harder for a user to tamper with.
Re: PHP http_referer Internet Explorer 7
Posted: Fri Nov 10, 2006 4:17 pm
by Burrito
waradmin wrote:Alright so it seems that Internet Explorer 7 does not send referer data thus when using $_SERVER['HTTP_REFERER'] you always recieve a value of "".
that is not true. I'd check to make sure your script is correct.
Posted: Fri Nov 10, 2006 4:19 pm
by Burrito
as a follow-up, I wouldn't rely on HTTP_REFERER anyway, but just to clarify, it does still work with IE 7.
Posted: Fri Nov 10, 2006 4:23 pm
by waradmin
Well here is the code:
Code: Select all
$referer = $_SERVER['HTTP_REFERER'];
if ($referer != "http://www.somthing.org/hm/beta/messages.php")
{
echo "You cannot do that!";
echo "$referer";
exit();
}
Here is the result in IE 7:
You cannot do that!
Here is the result in firefox:
If it works in IE 7, explain why it doesnt display anything.
Posted: Fri Nov 10, 2006 4:26 pm
by nickvd
Echo the referrer outside your if, so you can see what it looks like no matter what happens...
Posted: Fri Nov 10, 2006 4:26 pm
by Burrito
I just tested with this:
test.php
Code: Select all
<?
if(isset($_SERVER['HTTP_REFERER']))
echo $_SERVER['HTTP_REFERER'];
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Untitled</title>
</head>
<body>
<a href="test.php">here</a>
</body>
</html>
Posted: Fri Nov 10, 2006 4:29 pm
by waradmin
Well also I am in windows vista that may be doing it because it isnt working.
Posted: Sat Nov 11, 2006 3:34 am
by onion2k
waradmin wrote:Well also I am in windows vista that may be doing it because it isnt working.
Using Beta software will often result in strange quirks and problems that will be impossible for anyone to diagnose and fix. Use a finished operating system if you want predictable results.
Re: PHP http_referer Internet Explorer 7
Posted: Sat Nov 11, 2006 4:08 am
by timvw
waradmin wrote:Alright so it seems that Internet Explorer 7 does not send referer data thus when using $_SERVER['HTTP_REFERER'] you always recieve a value of "". So basicly websites like mine that check form input using http_referer are no longer functioning.
Your website still works, but the mistake in your reasoning that the header would always be there just became more obvious.
waradmin wrote:
What is another way to check that a form was submited from a desired source without using referer?
You'll have to generate a token (but you have to make sure the tokens can't be guessed... basically, you would end up implementing something like sessions.. )suggestion: simply use sessions and store the requests in there... This way you can easily verify the pages the user has visited. Notice that it's still possible to automate these requests...
waradmin wrote:
I thought about using a hidden field, but because firefox reveals hidden fields and their values, it would prove to be a worthless attempt to secure a form.
Since you're sending values to the client, it would be a mistake to assume they're not going to see it. What you really would have to do is make sure that they can't predict the value you're going to send them... And when they give you a value, you should be able to verify if it was really a value that you generated...
waradmin wrote:
Any thoughts on how to secure a form without using referer?
For that you would have to define 'secure' first.