HOW TO FORCE PASSING A REFERER

  • Thread starter Jonathan Driller
  • Start date
J

Jonathan Driller

I am attempting to block repeat downloads from a site. I need to have
a landing page pass a referer to a secured page. I have tried a meta
refresh redirect and several Javascript redirect strategies but none
pass the referer. How can I force this since the referer property is
read only?

I have set up an .htaccess file so it will only let people into a
secure directory if they come from an internal page on my site. This
is done by checking that the referrer is from my domain (I also set a
72 hour cookie that is checked on the landing page and throws them out
if they don't have it).

I have access to PHP and PERL but this has to be done automatically.

Any ideas appreciated....possibly I need to rethink the strategy but
it would be great if I could force a referer to be passed to the
secure page...

JD
 
G

Grant Wagner

Jonathan said:
I am attempting to block repeat downloads from a site. I need to have
a landing page pass a referer to a secured page. I have tried a meta
refresh redirect and several Javascript redirect strategies but none
pass the referer. How can I force this since the referer property is
read only?

I have set up an .htaccess file so it will only let people into a
secure directory if they come from an internal page on my site. This
is done by checking that the referrer is from my domain (I also set a
72 hour cookie that is checked on the landing page and throws them out
if they don't have it).

I have access to PHP and PERL but this has to be done automatically.

Any ideas appreciated....possibly I need to rethink the strategy but
it would be great if I could force a referer to be passed to the
secure page...

JD
Click to expand...

You can't even be sure it's a web browser accessing the URL, so there is
absolutely no way to force the client to pass the referer.

If you want to stop repeated downloads, then you need to user purely
server-side technology. One suggestion would be:

- the user fills in the form to get whatever it is they want to download
and submits it
- you process the form on the server, use some server processing to build
an id that is random and unique and store that in a database or flatfile,
along with the file they want
- send a URL to the user that uses that random and unique value as a
parameter (ie - Click
http://yourserver/downloadNow.php?id=adfaakj4i31y8923hiph3iy5y294y8130y1
to download file X)
- when they click the link, downloadNow.php would check the database for a
reference to that id, if it finds it, it would return the selected file
(also stored in the database) to the user and remove the id from the
database

In this way, even if I wrote a program that threw random ids at
"downloadNow.php", it's unlikely I'd find one that actually downloads a
file to me, and even if I did happen to find a valid id, I can't be
certain what file I'm going to receive, since it's controlled entirely by
the server.

As well, you probably want a timestamp with the id and file, and a process
that comes along and cleans up ids older than say, a month for those
people that chose to download a file and then never do (you need some way
of getting those id/filename combinations out of the database).

--
| Grant Wagner <[email protected]>

* Client-side Javascript and Netscape 4 DOM Reference available at:
*
http://devedge.netscape.com/library/manuals/2000/javascript/1.3/reference/frames.html

* Internet Explorer DOM Reference available at:
*
http://msdn.microsoft.com/workshop/author/dhtml/reference/dhtml_reference_entry.asp

* Netscape 6/7 DOM Reference available at:
* http://www.mozilla.org/docs/dom/domref/
* Tips for upgrading JavaScript for Netscape 7 / Mozilla
* http://www.mozilla.org/docs/web-developer/upgrade_2.html
 
J

j driller

Grant,
Thanks for the input.
If I had access to a database I could implement this the way you suggest
(that is, properly). Sadly, that will not come for several months and so
I need a hack that will accomplish this another way. If I can just find
a way to pass a referer I would be ok. I don't worry that there are
firewalls/proxy servers/browsers/spoofers (or that it is a robot etc)
that mess up the referrer - the page passing the referrer is on my site
and passing it to my site. If the user registered they have a 72 hour
cookie that lets them into the landing page. The landing page then sends
them to the secure page. The .htaccess file in the secure directory asks
if the referer is from our site. If yes, they get to download, if no
they get access forbidden. It works fine if you click a manual link to
the the secure page - but, since I cannot get Javascript to pass a
referer, it won't work with a Javascript redirect (or a meta tag
redirect).

More ideas?

JD
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Issue with passing fetched data to POST form. How can I? 0
How to deny access to URL when a countdown timer runs out 0
referer in a frame 3
what's the referer of an applet ? 5
How do I set the default content page) on a Classic ASP file? 0
URL-Rewriting, referer and https 3
How to effectively develop a web application from scratch? 0
How to use PDF-lib and how to center each line of texts on the page? 1

Members online

No members online now.
Total: 26 (members: 0, guests: 26)
Robots: 116

Forum statistics

Threads
473,786
Messages
2,569,626
Members
45,328
Latest member
66Teonna9

Latest Threads

Top