homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Hardware and OS Related Technologies / Website Technology Issues
Forum Library, Charter, Moderators: phranque

Website Technology Issues Forum

How to determine REFERER

 10:21 pm on Sep 21, 2009 (gmt 0)

For a subscription based website I need to validate where the request is coming from. What is the best way to do this?

For example if I give a site abc.com an REFERERE parameter so that traffic coming from them to my site will have advertising turned off. All a wiley webmaster has to do is do a view source and use the same token to spoof my site.

I am looking for a nice/clean/lightweight solution to this problem. I'm confident it is something that has been solved millions of times perhaps even by google analytics. I am told that HTTP_REFERRER is easy to spoof, is that tue?

In any case I am looking for a LAMP (or javascript) based solution. Appreciate your input, very much!




 4:40 pm on Sep 22, 2009 (gmt 0)

Most effective method would be with cookies or session ID's.


 4:44 pm on Sep 22, 2009 (gmt 0)

Umm... are u suggesting that abc.com set a cookie that we read?

and if HTTP_REFERER can be spoofed, then wouldn't that render sessionID as being already spoofed?!


 5:09 pm on Sep 22, 2009 (gmt 0)

I'm not going to be able to expand on this.

Suggest you post this in either the Apache forum or one of the other Webmaster World forums related to scripts.

You might also try searching the webmaster World archives (via google)for both cookies and session ID's.

Refer's are not a sure fire method, however the aforementioned capabilities would reduce the liklihood of decption, as would header verfication. There are numerous threads at Webmaster World (and across the internet) on these methods.

It's not as "simple" as you'd like, however it may be accomplished.


 9:15 pm on Sep 22, 2009 (gmt 0)

While referers can be spoofed, its isn't easy or trivial. Its beyond your average webmaster.
Third party webmasters can't look at your code to see if you are checking the referer - this happens within your PHP code (for a LAMP solution) and doesn't show in the output HTML (they could look at the page when they come from different sources and note the change and infer why it happens, of course).

And, no, wilderness doesn't mean abc.com sets a cookie - you can't read 3rd party cookies. On the first page view *your* code notes 'referer = abc.com' and sets a cookie to indicate same throughout the session.

Its possible you are asking too advanced a question for your level - try doing some more reading and experimenting on your own.


 9:24 pm on Sep 22, 2009 (gmt 0)

Thanks for your response... but I am faaar from a newbie. So much so that we have devised ways of reading cross-domain cookies ;)

Just looking for a canned solution, and hoping to tap into the knowledge pool already available rather than re-inventing the wheel.

You answerered the most key question for me by saying the average webmaster cannot spoof HTTP_REFERER. I am willing to live with a minor amt of abuse.

THANK YOU for your help. Really.

Global Options:
 top home search open messages active posts  

Home / Forums Index / Hardware and OS Related Technologies / Website Technology Issues
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved