GaryK - 4:12 am on Apr 4, 2003 (gmt 0)

My IIS/ASP website is getting busier and hacking attempts are on the upswing.

As one part of an overall security plan when someone tries to access a page/script that should only be accessed from another page on the website I check the HTTP_REFERER to be sure it's what I am expecting. If not I redirect them to an error page.

This is starting to cause a lot of problems for people with NIS, AOL8, Opera and other solutions that are able to block or modify the HTTP_REFERER.

So I am wondering what you all think about using the HTTP_REFERER as one part of an overall security plan.

I use encrypted cookies for login, and you have to be a member to access certain pages, but even still, is it worth the hassle, and some would say privacy violation of checking the HTTP_REFERER?

Thanks for your opinions.