House of Fusion
Search over 2,500 ColdFusion resources here
  
Home of the ColdFusion Community

Mailing Lists
Home /  Groups /  ColdFusion Talk (CF-Talk)

CGI HTTP REFERER

  << Previous Post |  RSS |  Sort Oldest First |  Sort Latest First |  Subscribe to this Group Next >> 
Top  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Cornillon, Matthieu
07/27/2002 06:52 PM

Okay.  I'm stumped.  I had this whole lovely plan for something I'm working on.  It involved looking at the value of CGI.HTTP_REFERER.  But that value isn't coming up on my radar.  It doesn't matter what browser I use.  It's just not there.  I've tried different spellings (REFERRER, REFERER), looped through every variable available, put a reference without a variable scope prefix, everything.  It just doesn't show up. I understand that the CGI variables returned are based on the server configuration.  So I guess my entire pile of questions is: A) Am I doing something simple and obviously stupid? B) What would I have to do to my server to get it to return this variable: is it on the CFAS side, or on the HTTP-server-software side? Thanks for any help anyone can give.  I need this blasted variable!! Matthieu

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Douglas Brown
07/27/2002 07:04 PM

The syntax on the first one is correct. Are you referencing it after a page request or form submittal? Douglas Brown Email: dbrown@socal.rr.com ----- Excess quoted text cut - see Original Post for more -----

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Cornillon, Matthieu
07/27/2002 07:51 PM

I'm checking it in my Application.cfm.  I want to see whether the page before the current page is from my site or not.  If not, I want to do something different.  I am guessing that my company's firewall is set to block outgoing referer information from the browser.  I am checking into this with my IT department. Thanks anyway, Matthieu The syntax on the first one is correct. Are you referencing it after a page request or form submittal? Douglas Brown Email: dbrown@socal.rr.com > Okay.  I'm stumped.  I had this whole lovely plan for something I'm working > on.  It involved looking at the value of CGI.HTTP_REFERER.  But that value > isn't coming up on my radar.  It doesn't matter what browser I use.  It's > just not there.  I've tried different spellings (REFERRER, REFERER), looped ----- Excess quoted text cut - see Original Post for more -----

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Douglas Brown
07/27/2002 08:02 PM

Hmmmm not sure it will work in application.cfm due to that being the first file processed by CF. It needs to have a referring page, hence the name. Douglas Brown Email: dbrown@socal.rr.com ----- Excess quoted text cut - see Original Post for more -----

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Jim McAtee
07/27/2002 08:24 PM

Which web server and version of CF are running on this server?  On my CF5/IIS5 server, I always have the exact same set of CGI variable (including CGI.HTTP_REFERER), but some of them will sometimes have a zero length string as there value.  A firewall would have to _strip_ the referer header from the HTTP request... a lot of work, and I can't imagine what additional security would be gained from doing this. Jim ----- Excess quoted text cut - see Original Post for more -----

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Joe Eugene
07/27/2002 08:30 PM

Turn on "Debugging" on you development box. This should show you all the values in the CGI scope. Joe Okay.  I'm stumped.  I had this whole lovely plan for something I'm working on.  It involved looking at the value of CGI.HTTP_REFERER.  But that value isn't coming up on my radar.  It doesn't matter what browser I use.  It's just not there.  I've tried different spellings (REFERRER, REFERER), looped through every variable available, put a reference without a variable scope prefix, everything.  It just doesn't show up. I understand that the CGI variables returned are based on the server configuration.  So I guess my entire pile of questions is: A) Am I doing something simple and obviously stupid? B) What would I have to do to my server to get it to return this variable: is it on the CFAS side, or on the HTTP-server-software side? Thanks for any help anyone can give.  I need this blasted variable!! Matthieu

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
mark brinkworth
07/27/2002 11:12 PM

Some firewalls (such as Norton's - I know this from personal experience), block or change the http_referer that is sent from the browser to the server. In the case or Norton, it gets changed to http_weferer, and consists of a rather random looking alphabet soup. Cheers, Mark ----- Excess quoted text cut - see Original Post for more -----

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Michael Kear
07/27/2002 11:31 PM

The correct spelling is the American spelling  - i.e. cgi.http_referer  even though my outlook insists on arguing with me and changing it to referrer. But as you have discovered, not all browsers send the parameter, because the anti-spamming measures adopted by a lot of people block it.  This hasn't been much of a worry until recently.  But a site I'm working on has a rapidly increasing number of users with this problem, and I'm having to re-write a whole application which relied on http_referer to verify the user had access.     Computers are increasingly being delivered to users with personal firewalls installed and that gives rise to the problem. IN short, if you're planning an application that's going to need http_referer, my advice is to re-think it! Cheers, Mike Kear Windsor, NSW, Australia AFP WebWorks Some firewalls (such as Norton's - I know this from personal experience), block or change the http_referer that is sent from the browser to the server. In the case or Norton, it gets changed to http_weferer, and consists of a rather random looking alphabet soup. Cheers, Mark ----- Excess quoted text cut - see Original Post for more -----

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
mark brinkworth
07/28/2002 12:03 AM

I have always regarded the use of HTTP_Referer as a security measure to be rather poor, as it can easily be spoofed. So my sites don't rely on it, although occassionally they may use it to refine error messages. Cheers ----- Excess quoted text cut - see Original Post for more -----

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Dave Watts
07/28/2002 05:58 PM

> A firewall would have to _strip_ the referer header from > the HTTP request... a lot of work, and I can't imagine what > additional security would be gained from doing this. Imagine that you've got a relatively unsavory site with a bunch of links to less unsavory sites. You might not want to have the "good" site log the fact that you came from the "bad" site. A minor issue, but there are those concerned enough about their privacy to care about this. In any case, it's not a lot of work for a firewall to strip that one header. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444


<< Previous Thread Today's Threads Next Thread >>

Search cf-talk

September 02, 2014

<<   <   Today   >   >>
Su Mo Tu We Th Fr Sa
   1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30         

Designer, Developer and mobile workflow conference