1. Board4all.biz is a forum where members can share their knowledge and much more - why not become part of our wonderful community thats been around for over 15 years and create an account with us. We have one of the (if not the) best development sections on the internet, especially Delphi. If you have problems registering you can send an email to admin@board4all.biz and we will look into it. If you are thinking of joining to whine about content, we dont host anything whatsoever illegal so please don't bother wasting our time and yours.

can I change referrer ?

Discussion in 'SW Helpdesk' started by FriendOfGhost, Mar 19, 2014.

  1. FriendOfGhost

    FriendOfGhost is a Trusted Warez PosterFriendOfGhost Registered User

    Joined:
    Jan 15, 2009
    Messages:
    842
    Likes Received:
    4,749
    hi friends... I have a HUGE problem about that. I nee to change referrer in this structure. First site will post data so second site and second site cannot check referrer value.

    first page on FIRSTSITE.COM/test.php

    Code:
    <html>
    <head>
        <title></title>
    </head>
    <body>
        <form action="http://www.SECONDSITE.com/testreferrer.php" method="post">
            value: <input name="field1" type="text" />
            <br />
            <br />
            <input id="submit" type="submit" value="submit" />
        </form>
    </body>
    </html>
    
    second page whick checks the referrer on www.SECONDSITE.com/testreferrer.php

    Code:
    <html>
    <body>
    <form action=" method="post">
        <br>
           Your value is: <?php echo $_POST["field1"]; ?>
        <br>
          referrer:
        <?php echo $_SERVER['HTTP_REFERER']; ?>
        <br>
    </form>
    </body>
    </html> 
    
    normally testreferrer.php shows http//www.FIRSTSITE.COM/test.php as referrer value.

    I want to change it http://www.somesite.com/test.php

    I googled and found out some says "its impossible" as browser sends referrer value but some others claims they change it. Though I tried almost every code piece I found I could not make it run. my servers are linux and I think there should be a way to achieve this.

    any ideas please ?
     
    Enkhtsog likes this.
  2. gj

    gjutras Registered User

    Joined:
    Jul 14, 2010
    Messages:
    5
    Likes Received:
    4
    When and at what point are you trying to change it? And client side or from server 1 as part of it's request handling? You could achieve this client side with a custom app, or a plugin or extension. But purely from script called by a page, I don't think you'll be able to override the browser behavior client side.
     
    Last edited: Dec 29, 2016
    Wonderman likes this.
  3. FriendOfGhost

    FriendOfGhost is a Trusted Warez PosterFriendOfGhost Registered User

    Joined:
    Jan 15, 2009
    Messages:
    842
    Likes Received:
    4,749
    I want some expert/experienced opinions if it can be done because I have web services that check REFERRER value to obtain security. I wanted to know if it can be done or "cheated".

    So If someone calls SECONDSITE by not using browser but creating a request by programming or they use some addons like said then they can change REFERRER is that correct ? As far as I know they can also cheat IP number.

    Then how will I secure my service so it can be used by only one domain ? I have username/password etc but they are known by many people (customer himself, programmer, third party programmer etc...)

    I need some solid variable to identify domain name which request has made. I need to be sure that SECONDSITE page is called from FIRSTSITE not some other site.
     
  4. Cl

    Cleric Registered User

    Joined:
    Dec 20, 2016
    Messages:
    4
    Likes Received:
    7
  5. Gi

    Gitter Registered User

    Joined:
    Jul 5, 2017
    Messages:
    4
    Likes Received:
    3
    Checking the referrer as security measure is only useful if you know that your clients will be legitimate and unmodified web browsers.
    There are plugins for most browsers to alter the referrer behaviour on a per-website basis, or people might just hand-craft the entire request.

    The only thing a referrer check is really good for is to safeguard your users against phishing attacks. From personal experience I can tell you that there are a few people who turn their referrers off entirely (even though this causes them more trouble than anything). And your right, the IP address can be faked by any proxy or VPN.

    What you could do is a reverse DNS lookup (check out PHP's gethostbyaddr function) and only allow a certain masks, which is not easily faked unless you work at an ISP. That is how security for accounts is tightened on IRC servers some of the time.
     
    FriendOfGhost and Wonderman like this.
  6. Ri

    Richard Registered User

    Joined:
    Today
    Messages:
    4
    Likes Received:
    7
    Challenger, FriendOfGhost and Gitter like this.

Share This Page