Welcome to WebmasterWorld Guest from 54.226.25.231

Forum Moderators: bakedjake

Message Too Old, No Replies

Referer spoofing

     

peace

10:05 am on Mar 6, 2003 (gmt 0)

5+ Year Member



Hello,

I'm looking to find a way to stop spoofing programs.
As most of You know, this little evils are by passing
Your .htaccess file with sending a real referrer url.

Here's my htaccess file
-----------------------------
AuthUserFile /dev/null
AuthGroupFile /dev/null

RewriteEngine On
RewriteCond %{HTTP_REFERER}!^http://mydomain.com/ [NC]
RewriteCond %{HTTP_REFERER}!^http://www.mydomain.com/ [NC]
RewriteRule /* [mydomain.com...] [R,L]
-----------------------------
This can be spoofed easily and I need to find a solution since my site is somehow popular and my members area is
keep being published in warez sites.

My site is an AVS protected site and I have to use something
similar to this one above.

Would love to read Your oppinions on this one.

Thanks

[edited by: littleman at 10:18 am (utc) on Mar. 6, 2003]
[edit reason] took out the adult site references [/edit]

Dreamquick

12:40 pm on Mar 7, 2003 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



You can't really defend against cross-site referrer spoofing as you are relying on the user to tell the truth! It's that simple.

To make any half-decent security solution you would need to augment the referrer-based system somehow and to be honest I think you'll find that the amount of work involved in this is prohibitive - essentially you'd be re-inventing the wheel (where the wheel in this case is user-authentication).

However if they are going from a site you control to another site you control and then you could probably have some fun with dynamic pages and a database - ie you generate a "launch" page which uses a unique URL, this URL is entered into the database and stays valid for x minutes.

When the user goes to the other site they will pass that unique URL in their referrer, the other site spots this and authenticates them for access to the site and at the same time removes the "launch" URL as a valid authenticator.

Since the unique URL would only be shown to valid in users (I presume they would have logged in at this point) and would only work once you have something which is pretty hard to spoof and pointless in linking :)

- Tony

 

Featured Threads

Hot Threads This Week

Hot Threads This Month