homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Hardware and OS Related Technologies / Linux, Unix, and *nix like Operating Systems
Forum Library, Charter, Moderators: bakedjake

Linux, Unix, and *nix like Operating Systems Forum

Referer spoofing

5+ Year Member

Msg#: 459 posted 10:05 am on Mar 6, 2003 (gmt 0)


I'm looking to find a way to stop spoofing programs.
As most of You know, this little evils are by passing
Your .htaccess file with sending a real referrer url.

Here's my htaccess file
AuthUserFile /dev/null
AuthGroupFile /dev/null

RewriteEngine On
RewriteCond %{HTTP_REFERER}!^http://mydomain.com/ [NC]
RewriteCond %{HTTP_REFERER}!^http://www.mydomain.com/ [NC]
RewriteRule /* [mydomain.com...] [R,L]
This can be spoofed easily and I need to find a solution since my site is somehow popular and my members area is
keep being published in warez sites.

My site is an AVS protected site and I have to use something
similar to this one above.

Would love to read Your oppinions on this one.


[edited by: littleman at 10:18 am (utc) on Mar. 6, 2003]
[edit reason] took out the adult site references [/edit]



WebmasterWorld Senior Member 10+ Year Member

Msg#: 459 posted 12:40 pm on Mar 7, 2003 (gmt 0)

You can't really defend against cross-site referrer spoofing as you are relying on the user to tell the truth! It's that simple.

To make any half-decent security solution you would need to augment the referrer-based system somehow and to be honest I think you'll find that the amount of work involved in this is prohibitive - essentially you'd be re-inventing the wheel (where the wheel in this case is user-authentication).

However if they are going from a site you control to another site you control and then you could probably have some fun with dynamic pages and a database - ie you generate a "launch" page which uses a unique URL, this URL is entered into the database and stays valid for x minutes.

When the user goes to the other site they will pass that unique URL in their referrer, the other site spots this and authenticates them for access to the site and at the same time removes the "launch" URL as a valid authenticator.

Since the unique URL would only be shown to valid in users (I presume they would have logged in at this point) and would only work once you have something which is pretty hard to spoof and pointless in linking :)

- Tony

Global Options:
 top home search open messages active posts  

Home / Forums Index / Hardware and OS Related Technologies / Linux, Unix, and *nix like Operating Systems
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved