#native_company# #native_desc#

Derefer Sites

By Jens Daumann
on September 10, 2000

TIP Difficulty: Beginner

The HTTP Protocol provides the header REFERER containing the last visited URL by the user. Sometimes this is very useful, but also a security risk. All information of an query string appended to the URL by a ? are send to another server.

Especially this is a risk when the programmer of a PHP script transfer a session ID in this querystring. All servers linked , e.g. in an members section, can read out the session ID by using the referer header.

Imagine you linked the www.big-bad-hacker.com, a script on this server discover by calling a script that you came from www.my-good-site.com/members.php?session_id=123456789 and now opens in the same script the members site and download some security related information from your members site, e. g. the members credit card number.

Your member would be very angry with you. To protect your members against this mechanism you should use a so called “Dereferer”. This is a script which is called whenever a user clicks on a link on your site. If www.big-bad-hacker.com now reads out the referer it is capturing the URL of the dereferer page which does not contain the session id.

Here the code Solution:

Set all links as follows: <a href=”dereferer_script.php?site=%original site%”>
replace %orginial site% with the original link, e.g. www.big-bad-hacker.com.

header("Location: " . $site );

Easy but useful, if you use session managment like in PHP4 you can forget the dereferer.

Excuse failures in this text, my english is not perfect.