html referrer spoofing

[Aaron]

i would like to make a page thats only accessible from a certain website.
so i did this

if
(HttpContext.Current.Request.UrlReferrer.ToString().Trim().StartsWith(http:/
/www.approveddomain.com))

method();//access page

else

accessdenied();

--------------

did i do this right? i know there are programs out there that can spoof http
referrer would my code still work?

ie.spoofed url

http://www.hacker.com/@http://www.approveddomain.com

i need to make sure my code works 100% of the time.



Thanks

Aaron

 

[Guest]

No, since any referrer can be passed in a request, you cannot rely on it for security

----- Aaron wrote: ----

i would like to make a page thats only accessible from a certain website
so i did thi

i
(HttpContext.Current.Request.UrlReferrer.ToString().Trim().StartsWith(http:
/www.approveddomain.com)

method();//access pag

els

accessdenied()

-------------

did i do this right? i know there are programs out there that can spoof htt
referrer would my code still work

ie.spoofed ur

http://www.hacker.com/@http://www.approveddomain.co

i need to make sure my code works 100% of the time



Thank

Aaro

 

[Chris Jackson]

Well, all it would take is for somebody to write to the headers, and your
security has been defeated. Do you have any control over this other site? If
so, then you can have that site set some variable somewhere that your target
site goes in and reads. For example, it could generate a new GUID, store
this in a database, and then add it to the querystring. The target site can
then read this GUID, compare it to the database, and then clear the
database. If you need to be absolutely guaranteed that the user hasn't
modified the headers somehow, then you have to store something on your end
that the user/attacker can not get to.