Welcome to WebmasterWorld Guest from 54.147.10.72

Forum Moderators: phranque

Message Too Old, No Replies

How to determine REFERER

     

iamvela

10:21 pm on Sep 21, 2009 (gmt 0)

5+ Year Member



For a subscription based website I need to validate where the request is coming from. What is the best way to do this?

For example if I give a site abc.com an REFERERE parameter so that traffic coming from them to my site will have advertising turned off. All a wiley webmaster has to do is do a view source and use the same token to spoof my site.

I am looking for a nice/clean/lightweight solution to this problem. I'm confident it is something that has been solved millions of times perhaps even by google analytics. I am told that HTTP_REFERRER is easy to spoof, is that tue?

In any case I am looking for a LAMP (or javascript) based solution. Appreciate your input, very much!

Thanks.
--

wilderness

4:40 pm on Sep 22, 2009 (gmt 0)

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Most effective method would be with cookies or session ID's.

iamvela

4:44 pm on Sep 22, 2009 (gmt 0)

5+ Year Member



Umm... are u suggesting that abc.com set a cookie that we read?

and if HTTP_REFERER can be spoofed, then wouldn't that render sessionID as being already spoofed?!

wilderness

5:09 pm on Sep 22, 2009 (gmt 0)

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



I'm not going to be able to expand on this.

Suggest you post this in either the Apache forum or one of the other Webmaster World forums related to scripts.

You might also try searching the webmaster World archives (via google)for both cookies and session ID's.

Refer's are not a sure fire method, however the aforementioned capabilities would reduce the liklihood of decption, as would header verfication. There are numerous threads at Webmaster World (and across the internet) on these methods.

It's not as "simple" as you'd like, however it may be accomplished.

leadegroot

9:15 pm on Sep 22, 2009 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



While referers can be spoofed, its isn't easy or trivial. Its beyond your average webmaster.
Third party webmasters can't look at your code to see if you are checking the referer - this happens within your PHP code (for a LAMP solution) and doesn't show in the output HTML (they could look at the page when they come from different sources and note the change and infer why it happens, of course).

And, no, wilderness doesn't mean abc.com sets a cookie - you can't read 3rd party cookies. On the first page view *your* code notes 'referer = abc.com' and sets a cookie to indicate same throughout the session.

Its possible you are asking too advanced a question for your level - try doing some more reading and experimenting on your own.

iamvela

9:24 pm on Sep 22, 2009 (gmt 0)

5+ Year Member



Thanks for your response... but I am faaar from a newbie. So much so that we have devised ways of reading cross-domain cookies ;)

Just looking for a canned solution, and hoping to tap into the knowledge pool already available rather than re-inventing the wheel.

You answerered the most key question for me by saying the average webmaster cannot spoof HTTP_REFERER. I am willing to live with a minor amt of abuse.

THANK YOU for your help. Really.
--

 

Featured Threads

Hot Threads This Week

Hot Threads This Month