Can http_referer be spoofed

Ask a Question related to ASP.NET Security, Design and Development.

  1. Buddy Ackerman #1

    Default Can http_referer be spoofed

    Is there a way to spoof the referer? One security measure that I want to
    implement is checking to make sure that a request came from a page on my
    site. In the same vein is it also possible to spoof the remote_host server
    variable? Would using an encrypted cookie be the best way to secure data
    being passed back and forth between the client and the server?


    Buddy Ackerman Guest
    Reply With Quote Reply With Quote

    2. Similar Questions and Discussions

    1. http_referer
      Does php support this? HTTP_REFERER or simply cgi and ssi only? - Louie
    2. can you use sessions to ensure the user visited a previous page? can a sessions be easily spoofed?
    3. [PHP] HTTP_REFERER
      On Fri, Sep 12, 2003 at 09:11:09AM +0200, Catalin Trifu wrote: : : "Louie Miranda" <louie@axishift.ath.cx> wrote: : > : > Does php support this?...
    4. [PHP] $HTTP_REFERER / Hijacking
      * Thus wrote John Taylor-Johnston (taylorjo@collegesherbrooke.qc.ca): The referer isn't gaurenteed to be there, and there really isn't a way...
    5. Getting HTTP_REFERER
      I am having no end of bad luck getting the refering page returned, the issue may be that I am doing redirects using javascript if a document is not...
  2. Mr Carter #2

    Default Re: Can http_referer be spoofed

    Rule #1 Never trust anything you get from the user. All data is considered
    harmful until it is validated.

    ie Yes anyone can modify the header and post it back to you.

    Encrypted cookie does not protect the data thats what SSL is for.

    Hope that helps!

    "Buddy Ackerman" <a.ackerman@comcast.net> wrote in message
    news:%23Go7FUKAEHA.3248@TK2MSFTNGP11.phx.gbl...
    > Is there a way to spoof the referer? One security measure that I want to
    > implement is checking to make sure that a request came from a page on my
    > site. In the same vein is it also possible to spoof the remote_host
    server
    > variable? Would using an encrypted cookie be the best way to secure data
    > being passed back and forth between the client and the server?
    >
    >

    Mr Carter Guest
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may post replies
  • You may not post attachments
  • You may not edit your posts

Forum Rules


1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139