Posted: Fri Nov 25, 2005 2:41 pm
http_referer is useless - it is easily spoofed, and not all browsers or clients even *SEND* the referer.. I never use it for any kind of checking or security *at all*RaH wrote:Why not just use referrals? You could test for spoofing by inserting a session id into the referral url, and then test for validity of sess id. if you are serving up a few megs of photos to a few hundred users, the impact of that loop could DoS you.