Alternative to HTTP-REFERER? 1

[tviman]

Since HTTP-REFERER can be spoofed or is not sent by some browsers/firewalls, is there a viable alternative to making sure that a script is executed by a page on your own site?

There's always a better way. The fun is trying to find it!

 

[duncdude]

not that i'm aware of - using LWP it seems easy to do - i've had no problems...


Kind Regards
Duncan

 

[tviman]

Thanks Duncan. I've not used LWP - can you give me a clue?

Thanks...



There's always a better way. The fun is trying to find it!

 

[duncdude]

sorry - badley explained - I mean that I don't think you can stop Perl emulating a genuine web-page form action in any way


Kind Regards
Duncan

 

[tviman]

Sorry - maybe badly explained on my part... is there an alternative method to ensure that my form was executed from my website?

There's always a better way. The fun is trying to find it!

 

[duncdude]

i do not think so


Kind Regards
Duncan

 

[siberian]

There is a programmatic way to handle it and a webserver way to handle this.

Programmatic:
On request log the timestamp in a file. Put the same timestamp into the URL or the form submission. On form submission make check this embedded timestamp against the timestamp on disk. if these match you are in business. The only way they can spoof you is with a brute force attack.

Using Apache and mod_rewrite you can make sure certain pages only get requests from certain other pages. Are you using apache?

 

[duncdude]

hi [blsiberian[/b]

cute! no wonder you are at the top of the Forum MVPs tree!

have a star!!!

Cheers
Duncan

 

[tviman]

Amen to that!!! Heck... have another star!!!

And thanks for the help!

There's always a better way. The fun is trying to find it!