Re: HTTP REFERER not set in Internet Explorer

IIRC, the Referer header is not required by HTTP/1.1.  Never count on  
it being there.  If you are dependent on it for security, remember it  
is easily spoofed.

-dhs

Dean H. Saxe, CEH
dean@fullfrontalnerdity.com
"I have always strenuously supported the right of every man to his  
own opinion, however different that opinion might be to mine. He who  
denies another this right makes a slave of himself to his present  
opinion, because he precludes himself the right of changing it."
    -- Thomas Paine, 1783



On Nov 16, 2005, at 11:16 AM, Saqib Ali wrote:

> Hello,
>
> I am writing a secure application that tracks users on a website by
> use of HTTP_REFERER. But see like Internet Explorer is not properly
> populating this field.
>
> Visit the following website using IE and Firefox.
> http://www.xml-dev.com/blog/referer_test.php
>
> And click on the Link that says "Click Here"
>
> With Firefox, the correct HTTP_REFERER will be displayed after you
> click the link. But with I.E. the HTTP_REFERER is set to blank.
>
> Has anyone ran into this issue? How did you make your application
> compatible with both I.E and Mozilla based browsers?
>
> Because of some security concerns I need the HTTP_REFERER to be set
> correctly. If it is not possible, I will have to restrict my users to
> a Mozilla based browser.
>
> --
> In Peace,
> Saqib Ali
> http://www.xml-dev.com/blog/
> Consensus is good, but informed dictatorship is better.