Hello !

I wrote the CGI script which will check where user come from.

If they came from the website which is listed on my database then they can go inside otherwise they will get the error message !

I used $ENV{'HTTP_REFERER'} to check where user come from.

70% of my customer can login OK - but other 30% they sent me their complain they couldn't get inside.

I believe they are very good customer and they came from the website which is listed on my database but somehow they got stuck (check my log and I saw their HTTP_REFERER = "" (none)

Anyone get the problem like me? Can you show me how to fix it !

Thanks so much !

N.A

More than likely it's because the 30% are behind firewalls that are configured for maximum privacy, and referer is not passed. One option is to allow access if referer is undefined. But if user types in URL (in browser address window), or arrives via offsite JavaScript link or popup, they can access even though they did arrive via onsite link (since no referer passed in these cases). Another option is to spit out message if no referer passed: for example, "Sorry but in order to access this script, you must demonstrate that you called it via onsite link. We use referer to make this assessment. If you are behind a firewall that has privacy settings set to not pass referer, please either temporarily disable your firewall or change privacy settings so that browser referer is passed."

Cheers - Dan

----
Cheers,

Dan
Founder and CEO

LionsGate Creative
GoodPassRobot
Magelln

Hi Dan !

Thanks so much ! You help me a lot ! make my brain is clearer !

Just 1 more question !

I read some post on this forum. It said : the $ENV{'HTTP_REFERER'} will work only from https:// to https:// (not from https:// to http:// site) -

go back to my case, will it work if I link user from partner site http:// to my https:// site ? I mean I will email to my partner site and tell them put the link to https://mysite.com instead http://mysite.com - What do you think ?

Thank again !

NA.

I believe it is browser-dependent. Referer is passed if you go from https:// to http:// if you use Netscape, but not MSIE. Other browsers I do not know. As far as http:// to https://, it's a hunch but I'd say referer should be passed in all cases - barring firewalls configured to not pass referer.

----
Cheers,

Dan
Founder and CEO

LionsGate Creative
GoodPassRobot
Magelln

Hi Dan !

Can you tell me how to tell my customer to adjust their privacy level ?

I use I.E 6 - I tried to open menu Tools/Internet Option --> Go to tab Privacy and tried to set "Block All Cookie" (the highest level)

Go back and test my script - How come it still work for me? Am I not behind the firewall? How to tell my customer to do?

Regards!

NA

A firewall is software separate from your browser (and not cookie-related). For example, Nortons Firewall I believe:

Privacy Control > toggle off [Enable Privacy]

You do not adjust within browser environment. Do you have a firewall installed (if not, you had better make it priority one)? If you do, you should see its icon in your Windows toolbar at the bottom right corner of your screen (Norton Internet Security 2002 icon is by default a green-blue world globe).

----
Cheers,

Dan
Founder and CEO

LionsGate Creative
GoodPassRobot
Magelln

Thanks a lottt ! I got it Dan !

God bless you !

N.A

BTW, anyone can fake the http_referer easily, so it's not good security-wise.

Absolutely, and I was going to mention this but forgot. Thanks for bringing it up. Referer is very unreliable and easily spoofed.

----
Cheers,

Dan
Founder and CEO

LionsGate Creative
GoodPassRobot
Magelln

Cookies can also be faked ;)

Not really relevant to the topic, but very true and welcome to the discussion at hand. Any client-side parameter can be spoofed including those already mentioned as well as IP address and many others. I've written a PHP login script (that posts to a CGI-Perl script) that gets around the spoofed referer by having the user re-enter a [Security Code] that is displayed on the HTML generated page as a inline graphic. Similar to the PayPal method, and uses the GD Perl module. This ensures that the login CGI script (that performs the authentication) is called onsite.

----
Cheers,

Dan
Founder and CEO

LionsGate Creative
GoodPassRobot
Magelln

>>
Not really relevant to the topic,
<<

You should know me by now :)

Yep, I've got you on my naughty list - for Christmas, a Betamax in your stocking

----
Cheers,

Dan
Founder and CEO

LionsGate Creative
GoodPassRobot
Magelln

Now who's off topic

My mind operates off topic as I'm always going off in other directions, and off on tangents... contact at one point...touching...touching base...heh, baseball strike in three days - gotta love millionnaires out on strike. I wonder if they will pin strike placards onto baseball bats

----
Cheers,

Dan
Founder and CEO

LionsGate Creative
GoodPassRobot
Magelln

(Sorry Dan I had to reply to you to reply to Derrida)

Why would you want to know that Derrida?

I am very novice and could use some help.

Do you know why the same http_referrer program may work on a PC but not on a Mac?

Also, do you know how to determine the url used to access a site?

Thanks so much.

Jackie

Hi Jackie:

Barring firewalls and assuming http => http, I cannot see why there would be a problem with Mac's. But then I have no experience on Mac's - except Big Macs in my pre-veg years

If you mean which URLs to allow access, then that would include the URL of the site hosting the script (e.g., yourdomain.com), and any other sites (on same server or other servers) that would be allowed to access the script. In the case of the latter, an example could be affiliate or partner sites.

----
Cheers,

Dan
Founder and CEO

LionsGate Creative
GoodPassRobot
Magelln

Thanks, Dan. I appreciate your response.

As far as the http_referrer goes, I have two systems hooked up to the same firewall - a PC and a PowerMac. When I access a site that uses http_referrer from the PC, the http_referrer is displayed on the web page as it should be. When I access the same site using the Mac, the http_referrer is not displayed. Alas, there seem to be very few people who know about the Mac. But, that also means that there are very few people who are using Macs, so my problem is not a big one.

On the URL question: I have a site that has multiple domain names framed to the site. I am using http_referrer to display what domain name was used to access the site. When the framed domain name is used to access the Site, the framed domain name appears in the Address bar at the top of the page. Since I was having trouble getting the http_referrer command to work on the Mac, I thought that I may, instead, use the value in the "Address" bar. However, I have no idea how to access this value. Do you know how I could reuse the value in the Address bar on the actual html/php page?

Thank you so much.

Jackie