|
Home > Archive > IIS and SMTP > August 2004 > HTTP_REFERER is blank
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
HTTP_REFERER is blank
|
|
| Julian 2004-08-19, 7:48 am |
| My website runs under IIS 6 on Windows Server 2003.
A user tried to send email using one of my web forms, and received an
error from the CGI program which would occur only if the environment
string HTTP_REFERER passed to the program was blank. He is using IE 6
under Win XP, same as me, and the same error occurred twice.
What condition could cause the referer to be blank, when he has clicked
the button on my page?
--
Julian Moss
Tech-Pro Limited
http://www.tech-pro.net/
| |
| Ken Schaefer 2004-08-20, 2:50 am |
| There is no requirement that a HTTP client (eg a browser) send a referer
header - most do though. However, some people have software installed
(usually these SOHO "security suites" like Symantec Internet Security etc)
that "blocks" the client from sending out the HTTP referer as a "privacy"
measure (these programs may also block cookies etc). This would be the most
likely cause in my opinion.
Cheers
Ken
"Julian" <me@tech-pro.invalid> wrote in message
news:uoJ1CTehEHA.3148@TK2MSFTNGP10.phx.gbl...
> My website runs under IIS 6 on Windows Server 2003.
>
> A user tried to send email using one of my web forms, and received an
> error from the CGI program which would occur only if the environment
> string HTTP_REFERER passed to the program was blank. He is using IE 6
> under Win XP, same as me, and the same error occurred twice.
>
> What condition could cause the referer to be blank, when he has clicked
> the button on my page?
> --
> Julian Moss
> Tech-Pro Limited
> http://www.tech-pro.net/
| |
| Julian 2004-08-20, 2:50 am |
| Ken Schaefer wrote:
> There is no requirement that a HTTP client (eg a browser) send a
> referer header - most do though. However, some people have software
> installed (usually these SOHO "security suites" like Symantec
> Internet Security etc) that "blocks" the client from sending out the
> HTTP referer as a "privacy" measure (these programs may also block
> cookies etc). This would be the most likely cause in my opinion.
>
> Cheers
> Ken
Ken, thanks!
The problem did indeed turn out to be someone using Norton Firewall.
I probably need to find a more appropriate newsgroup for my next
question, which is how can my CGI script check that it is only being
called from one of my own web pages if it can't rely on getting the
referer information?
--
Julian
| |
| Ken Schaefer 2004-08-22, 8:47 pm |
|
"Julian" <me@tech-pro.invalid> wrote in message
news:eLLYg1ohEHA.3932@TK2MSFTNGP09.phx.gbl...
> Ken Schaefer wrote:
>
>
> Ken, thanks!
>
> The problem did indeed turn out to be someone using Norton Firewall.
>
> I probably need to find a more appropriate newsgroup for my next
> question, which is how can my CGI script check that it is only being
> called from one of my own web pages if it can't rely on getting the
> referer information?
HTTP is stateless, so there's no 100% gauranteed way you can do this.
a) you can set a cookie
b) you can pass information in the querystring etc
Both can be spoofed by malicious users, but you can make it quite difficult.
For example, create a temporary session for the user using a GUID as a key,
and then roundtrip this to the client via a cookie. On the next page,
validate that the client is returning a valid cookie value. However,
client's that are blocking cookies (again using things like Norton Firewall)
will not be able to use your page.
If you really require a stateful solution, you need to look at using Java
applets, Flash controls or ActiveX plugins - things that can maintain a
continuous connection back to the server.
Cheers
Ken
|
|
|
|
|