|
|
|
|  |
 | referrer spoofing protection |  |  |  |
 |
(#1)
|
| Guest Posts: n/a |  referrer spoofing protection -
06-02-2007, 08:53 PM
Is there any way I can protect my site from people using zspoof / supermegaspoof etc. to spoof the referrer header? Any help much appreciated, Thanks, Jon. |
| |      |
 |  |  |
| |
| Re: referrer spoofing protection | | | |
| |
(#2)
|
| Guest Posts: n/a | Re: referrer spoofing protection -
06-02-2007, 08:53 PM
On May 30, 1:37 pm, "kops" <k...@kops.com> wrote: > Is there any way I can protect my site from people using zspoof / > supermegaspoof etc. to spoof the referrer header? Just don't trust the referrer header in the first place, it is optional to begin with. (More specific advice is hard to offer without knowing what you are trying to achieve by looking at said header). -- David Dorward http://dorward.me.uk/ http://blog.dorward.me.uk/ |
| | |
| | |
| Re: referrer spoofing protection | | | |
| |
(#3)
|
| Guest Posts: n/a | Re: referrer spoofing protection -
06-02-2007, 08:53 PM
"David Dorward" <EMAIL REMOVED> wrote in message news:EMAIL REMOVED oups.com... > On May 30, 1:37 pm, "kops" <k...@kops.com> wrote: >> Is there any way I can protect my site from people using zspoof / >> supermegaspoof etc. to spoof the referrer header? > > Just don't trust the referrer header in the first place, it is > optional to begin with. (More specific advice is hard to offer without > knowing what you are trying to achieve by looking at said header). > > -- > David Dorward > http://dorward.me.uk/ > http://blog.dorward.me.uk/ > Hi David & thanks for the response, So from what I understand, the only way around this if I have a ring of sites would be to ask each user to authenticate seperately at each site rather than using the referral method? Thanks again, jon |
| | |
| | |
| Re: referrer spoofing protection | | | |
| |
(#4)
|
| Guest Posts: n/a | Re: referrer spoofing protection -
06-02-2007, 08:53 PM
On May 30, 3:15 pm, "kops" <k...@kops.com> wrote: > "David Dorward" <dorw...@gmail.com> wrote in message > > Just don't trust the referrer header in the first place, it is > > optional to begin with. (More specific advice is hard to offer without > > knowing what you are trying to achieve by looking at said header). > So from what I understand, the only way around this if I have a ring of > sites would be to ask each user to authenticate seperately at each site > rather than using the referral method? No, as I said, its hard to give specific advice without knowing the details. If you're looking to have centralized authentication, then you could probably do something along the lines of: 1. generate a hard-to-guess identifier with a short life 2. send that to the server hosting the other site 3. redirect the user to that site with that identifier in the query string 4. use that generated token as evidence of who the user is (That's rough and ready and I haven't looked at security implications in depth, but I think it is along the right lines). -- David Dorward http://dorward.me.uk/ http://blog.dorward.me.uk/ |
| | |
| | |
 |
« Previous Thread
|
Next Thread »
| Thread Tools | |
| Display Modes | |
Linear Mode
| |
