This is Interesting: Free Magazines for Graphics designers and webmasters
Home > Archive > Webmaster forum > May 2007 > referrer spoofing protection
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
referrer spoofing protection
|
|
|
| Is there any way I can protect my site from people using zspoof /
supermegaspoof etc. to spoof the referrer header?
Any help much appreciated,
Thanks, Jon.
| |
| David Dorward 2007-05-30, 6:19 pm |
| On May 30, 1:37 pm, "kops" <k...@kops.com> wrote:
> Is there any way I can protect my site from people using zspoof /
> supermegaspoof etc. to spoof the referrer header?
Just don't trust the referrer header in the first place, it is
optional to begin with. (More specific advice is hard to offer without
knowing what you are trying to achieve by looking at said header).
--
David Dorward
http://dorward.me.uk/
http://blog.dorward.me.uk/
| |
|
| "David Dorward" <dorward@XXXXXXXXXX> wrote in message
news:1180529962.829265.230440@q75g2000hsh.googlegroups.com...
> On May 30, 1:37 pm, "kops" <k...@kops.com> wrote:
>
> Just don't trust the referrer header in the first place, it is
> optional to begin with. (More specific advice is hard to offer without
> knowing what you are trying to achieve by looking at said header).
>
> --
> David Dorward
> http://dorward.me.uk/
> http://blog.dorward.me.uk/
>
Hi David & thanks for the response,
So from what I understand, the only way around this if I have a ring of
sites would be to ask each user to authenticate seperately at each site
rather than using the referral method?
Thanks again,
jon
| |
| David Dorward 2007-05-30, 6:19 pm |
| On May 30, 3:15 pm, "kops" <k...@kops.com> wrote:
> "David Dorward" <dorw...@XXXXXXXXXX> wrote in message
[color=darkred]
> So from what I understand, the only way around this if I have a ring of
> sites would be to ask each user to authenticate seperately at each site
> rather than using the referral method?
No, as I said, its hard to give specific advice without knowing the
details. If you're looking to have centralized authentication, then
you could probably do something along the lines of:
1. generate a hard-to-guess identifier with a short life
2. send that to the server hosting the other site
3. redirect the user to that site with that identifier in the query
string
4. use that generated token as evidence of who the user is
(That's rough and ready and I haven't looked at security implications
in depth, but I think it is along the right lines).
--
David Dorward
http://dorward.me.uk/
http://blog.dorward.me.uk/
|
|
|
| | Copyright 2003 - 2008 forum4designers.com Software forum Computer Hardware reviews |
|