Welcome to WebmasterWorld Guest from

Forum Moderators: bakedjake

Message Too Old, No Replies

Referer spoofing

10:05 am on Mar 6, 2003 (gmt 0)

New User

5+ Year Member

joined:Aug 26, 2008
votes: 0


I'm looking to find a way to stop spoofing programs.
As most of You know, this little evils are by passing
Your .htaccess file with sending a real referrer url.

Here's my htaccess file
AuthUserFile /dev/null
AuthGroupFile /dev/null

RewriteEngine On
RewriteCond %{HTTP_REFERER}!^http://mydomain.com/ [NC]
RewriteCond %{HTTP_REFERER}!^http://www.mydomain.com/ [NC]
RewriteRule /* [mydomain.com...] [R,L]
This can be spoofed easily and I need to find a solution since my site is somehow popular and my members area is
keep being published in warez sites.

My site is an AVS protected site and I have to use something
similar to this one above.

Would love to read Your oppinions on this one.


[edited by: littleman at 10:18 am (utc) on Mar. 6, 2003]
[edit reason] took out the adult site references [/edit]

12:40 pm on Mar 7, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Apr 25, 2002
votes: 0

You can't really defend against cross-site referrer spoofing as you are relying on the user to tell the truth! It's that simple.

To make any half-decent security solution you would need to augment the referrer-based system somehow and to be honest I think you'll find that the amount of work involved in this is prohibitive - essentially you'd be re-inventing the wheel (where the wheel in this case is user-authentication).

However if they are going from a site you control to another site you control and then you could probably have some fun with dynamic pages and a database - ie you generate a "launch" page which uses a unique URL, this URL is entered into the database and stays valid for x minutes.

When the user goes to the other site they will pass that unique URL in their referrer, the other site spots this and authenticates them for access to the site and at the same time removes the "launch" URL as a valid authenticator.

Since the unique URL would only be shown to valid in users (I presume they would have logged in at this point) and would only work once you have something which is pretty hard to spoof and pointless in linking :)

- Tony


Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members