1.- I don't think that HTTP_REFERER can be used for security purposes.
It is totally controlled by the client and an attacker using whatever
tool of choice can insert the correct value any time.
2.- The phenomena is due to your use of javascript to invoke navigation.
It seems that when javascript is used for navigation in IE, the referer
field is left blank (this might be considered by some a security measure
against XSS and such)
Amichai Shulman
CTO
Imperva, Inc.
12 Hachilazon St.
Ramat-Gan
Israel
Office: 972-3-6120133 (103)
Mobile: 972-54-5885083
E-mail: shulman@imperva.com
................................
InfoWorld product review
gives Imperva the
HIGHEST SCORE
in Application Security
http://imperva.com/go/iw/
-----Original Message-----
From: Saqib Ali [mailto:docbook.xml@gmail.com]
Sent: Wednesday, November 16, 2005 6:17 PM
To: webappsec@securityfocus.com
Subject: HTTP REFERER not set in Internet Explorer
Hello,
I am writing a secure application that tracks users on a website by use
of HTTP_REFERER. But see like Internet Explorer is not properly
populating this field.
Visit the following website using IE and Firefox.
http://www.xml-dev.com/blog/referer_test.php
And click on the Link that says "Click Here"
With Firefox, the correct HTTP_REFERER will be displayed after you click
the link. But with I.E. the HTTP_REFERER is set to blank.
Has anyone ran into this issue? How did you make your application
compatible with both I.E and Mozilla based browsers?
Because of some security concerns I need the HTTP_REFERER to be set
correctly. If it is not possible, I will have to restrict my users to a
Mozilla based browser.
--
In Peace,
Saqib Ali
http://www.xml-dev.com/blog/
Consensus is good, but informed dictatorship is better.
