homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Code, Content, and Presentation / Apache Web Server
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL & phranque

Apache Web Server Forum

How to determine REFERER reliably
referer referrer

 5:26 pm on Sep 22, 2009 (gmt 0)

For a subscription based website I need to validate where the request is coming from. What is the best way to do this?

For example if I give a site abc.com a REFERER parameter so that traffic coming from them to my site will have advertising turned off. All that a rogue webmaster has to do is do a view source and use the same referer_id to spoof my site.

I am looking for a nice/clean/lightweight solution to this problem. I'm confident it is something that has been solved millions of times perhaps even by google analytics. I am told that HTTP_REFERRER is easy to spoof, is that true?

In any case I am looking for a LAMP (or javascript) based solution. Appreciate your input, very much!




 6:04 pm on Sep 22, 2009 (gmt 0)

JavaScript is insecure because it too can be hacked to send whatever is needed to your server. HTTP Referer headers are unreliable because they can be spoofed, and because many "Internet Security" software packages, firewalls, and ISP caching proxies can suppress them -- usually without your visitor knowing anything about it.

So forget referrers and client-side code... What actual problem are you trying to solve? How critical is it that the solution work 100% of the time?

I can't really think of any 100% solution unless the referring site is willing to use a script to 'handshake' with your site behind the scenes, get an encrypted 'key' from your server, and append that to the referred URL given to the visitor about to click on your link. This would put a fairly heavy load on both of your servers, though, because the key would be requested whenever the referring page was loaded, regardless of whether the visitor ever clocked through to your site. And you would have to validate that key when received with a request.

All in all, I think I'd look for a completely-different plan, like separate pages for your referrering partners to link to. But then, anyone could link to those pages as well... So I doubt that this problem has been solved "millions of times" because referral-based functions cannot be reliable unless they're from domains that you fully control.



 6:10 pm on Sep 22, 2009 (gmt 0)

Umm.. thanks for your considered response.
- I'd be ok with a less than 100% solution.
- I can put a JS script on the other server too (but worry abt the load on both servers - as u rightly pointed out)

The problem I am looking to solve is really suppressing advertising for 'premium' customers.



 7:05 pm on Sep 22, 2009 (gmt 0)

In general, JavaScript doesn't run on servers, it runs on the visitor's machine (in the browser) as the browser displays the Web page. As a result, the JS code has already been downloaded to the visitor's computer, and can therefore easily be inspected and hacked. So don't use JS for anything even remotely "security-related," or anything that can affect the operation of your server ("how your site works").

If your premium customers have accounts (login username and password) on your site, then use a cookie that is set when they log in, and thereafter suppresses advertising. Really, this control mechanism needs to take place 100% within your own domain.

If you are willing to put up with approximately 33% of your incoming "premium customer" referrals seeing ads, then the referrer-based method may be good enough. Otherwise, some other approach is needed.



 7:10 pm on Sep 22, 2009 (gmt 0)

How easy is it to spoof HTTP_REFERER so that some percentage of non-premium members can see premium content?


 7:13 pm on Sep 22, 2009 (gmt 0)

Also cookie based approach for premium content does not work in our case. Perhaps a better analogy would be to use affiliate marketing: wherein if someone comes thru a particular link then they can see premium content (of course the affiliate never want to use someone else's id and givem them credit ;) )


 7:24 pm on Sep 22, 2009 (gmt 0)

It's not easy for Joe-average surfer to spoof the referrer. But if your content is worth the effort --valuable enough-- then you will encourage some percentage of your visitors to go seek the tools needed to do it. They're not hard to find.

In affiliate marketing, the affiliate identifies himself via the requested URI so as to get credit from you. After validating the affiliate ID, you could then set a cookie to prevent your ads from showing. It's pretty much either that or require your premium visitors to login (HTTP cookies and HTTP authentication headers are sent to your server with every request from the browser).

Maybe someone else has more or better ideas, but I've posted all of mine short of magic or divine intervention...


Global Options:
 top home search open messages active posts  

Home / Forums Index / Code, Content, and Presentation / Apache Web Server
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved