HOW TO FORCE PASSING A REFERER

Re: HOW TO FORCE PASSING A REFERER

Jonathan Driller wrote:
[color=blue]
> I am attempting to block repeat downloads from a site. I need to have
> a landing page pass a referer to a secured page. I have tried a meta
> refresh redirect and several Javascript redirect strategies but none
> pass the referer. How can I force this since the referer property is
> read only?
>
> I have set up an .htaccess file so it will only let people into a
> secure directory if they come from an internal page on my site. This
> is done by checking that the referrer is from my domain (I also set a
> 72 hour cookie that is checked on the landing page and throws them out
> if they don't have it).
>
> I have access to PHP and PERL but this has to be done automatically.
>
> Any ideas appreciated.... possibly I need to rethink the strategy but
> it would be great if I could force a referer to be passed to the
> secure page...
>
> JD[/color]

You can't even be sure it's a web browser accessing the URL, so there is
absolutely no way to force the client to pass the referer.

If you want to stop repeated downloads, then you need to user purely
server-side technology. One suggestion would be:

- the user fills in the form to get whatever it is they want to download
and submits it
- you process the form on the server, use some server processing to build
an id that is random and unique and store that in a database or flatfile,
along with the file they want
- send a URL to the user that uses that random and unique value as a
parameter (ie - Click

to download file X)
- when they click the link, downloadNow.php would check the database for a
reference to that id, if it finds it, it would return the selected file
(also stored in the database) to the user and remove the id from the
database

In this way, even if I wrote a program that threw random ids at
"downloadNow.ph p", it's unlikely I'd find one that actually downloads a
file to me, and even if I did happen to find a valid id, I can't be
certain what file I'm going to receive, since it's controlled entirely by
the server.

As well, you probably want a timestamp with the id and file, and a process
that comes along and cleans up ids older than say, a month for those
people that chose to download a file and then never do (you need some way
of getting those id/filename combinations out of the database).

--
| Grant Wagner <gwagner@agrico reunited.com>

* Client-side Javascript and Netscape 4 DOM Reference available at:
*


* Internet Explorer DOM Reference available at:
*


* Netscape 6/7 DOM Reference available at:
* http://www.mozilla.org/docs/dom/domref/
* Tips for upgrading JavaScript for Netscape 7 / Mozilla
* http://www.mozilla.org/docs/web-deve...upgrade_2.html

Re: HOW TO FORCE PASSING A REFERER

Grant,
Thanks for the input.
If I had access to a database I could implement this the way you suggest
(that is, properly). Sadly, that will not come for several months and so
I need a hack that will accomplish this another way. If I can just find
a way to pass a referer I would be ok. I don't worry that there are
firewalls/proxy servers/browsers/spoofers (or that it is a robot etc)
that mess up the referrer - the page passing the referrer is on my site
and passing it to my site. If the user registered they have a 72 hour
cookie that lets them into the landing page. The landing page then sends
them to the secure page. The .htaccess file in the secure directory asks
if the referer is from our site. If yes, they get to download, if no
they get access forbidden. It works fine if you click a manual link to
the the secure page - but, since I cannot get Javascript to pass a
referer, it won't work with a Javascript redirect (or a meta tag
redirect).

More ideas?

JD


*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!