Ideas for Improving ASP and ASP.NET Web Application Security - Part 1
page 3 of 6
by Brett Burridge
Feedback
Average Rating: This article has not yet been rated.
Views (Total / Last 10 Days): 28115/ 97

Do not rely on HTTP_REFERER Server Variable

The HTTP_REFERER server variable records the URL of the page the user's browser visited before the current page.  As such, it is sometimes used to check that a form was submitted from the correct form and that the submission did not originate from elsewhere.

While this is a useful technique to guard against automated form submissions, there are, however, a number of issues with using the HTTP_REFERER server variable.

Some proxy servers and content filtering services mask the value of the HTTP_REFERER or even strip it out altogether before the request arrives at the destination server.

An increasing number of Internet web robots are being used with a fake value for the HTTP_REFERER server variable.

The HTTP_REFERER server variable can be easily faked by many of the tools used to create automated web-crawling robots and form submission utilities.

Consequently, there are disadvantages to using the HTTP_REFERER server variable to increase the security of web applications.  Alternative strategies to securing forms would be to include using a graphical sequence of characters that a user has to type into the form before submission (i.e. a Captcha, see http://www.captcha.net/), or to include certain dynamically-generated, hidden fields within the form that must also be present when the form is submitted.


View Entire Article

User Comments

No comments posted yet.

Product Spotlight
Product Spotlight 





Community Advice: ASP | SQL | XML | Regular Expressions | Windows


©Copyright 1998-2020 ASPAlliance.com  |  Page Processed at 2020-07-05 9:45:28 PM  AspAlliance Recent Articles RSS Feed
About ASPAlliance | Newsgroups | Advertise | Authors | Email Lists | Feedback | Link To Us | Privacy | Search