Geek Answers Handbook

Http_referer lost using https

Figure two web pages that are viewed using https. They live in different domains.

How can I (reasonably) verify that someone who came to my page came through a hyperlink that is in another (specific) domain? I just want to allow traffic from this domain. Any ideas on the best way to achieve this would be appreciated.

I tried to look at HTTP_REFERER, but apparently it is not sent in this case. I know that the HTTP RFC indicates not to send referrer information from https β†’ http, but does this also apply to https β†’ https through ssl domains or certificates?

My domain runs on ASP.NET, if that matters. I do not control the source domain.

Thanks.

+5
source share
3 answers

When developing mjv's answer: you have to put the HMAC ( RFC 2104 ) in the URL. Have a shared secret between the two servers and create a source server for links to the form / timestamp / hmac / path. Hmac must be checked with hmac (key, timestamp + path), so different images generate different hmac. The destination server can then decide if there is enough time to come from the redirect.

You can further limit this by putting the client IP address in hmac, assuming that the same client that received the URL also resolves it. However, this may be due to an error in the presence of HTTP proxies that only process http, not https, or vice versa.

+6
source

Regardless of whether the RFC is allowed to send http_referer or not, you will find that many web clients and / or proxies or other gateways associated with confidential information between it and the server remove or trick http_referer in the header, breaking most authentication schemes based on http_referer, at best partially functioning.

If you cooperate with the custodian of the first https server, you can agree on passing through a hash code of type + something_else in requests to your server. By checking the hash code at your end, you will find out that your https visitor came from a different server [more recently].

+5
source

If you do not have control over the link site, you are out of luck.

Force the referrer if you can, and if he doesn’t appear, launch the landing page that says: "Click here, go to site A so you can return here."

Also, spend some time working on a more reliable way to access your "secure" site.

0
source

More articles:


All Articles