Sending refer(r)er though it's turned off in the browser?

Question

Hello everyone,

I was wondering if there was a way to send a referer with a http-request though it is turned of in the browser (e.g. with javascript)?

The problem I have when the referrer is not sent:

I am trying to minimize the changes of attacks, so whenever a page is loaded I am changing the sessionkey ... the sessionid stays the same, but the key changes ... so basically when a page has some script- or style-files that need to be sent from the server the refer(r)er is the page that needs them to be displayed correctly or has some parts that need the script. When I change into another page on my server the refer(r)er changes. Ok, to explain it, here is a pattern (if it is not understandable, please say so):

start:  GET test.html --> referrer := null
            `--> GET style.css --> referrer := test.html
---- CLICK ON LINK TO GO TO: 'form.html'
        GET form.html --> referrer := test.html
            `--> GET sendRequest.js --> referrer := form.html
            `--> GET style.css --> referrer := form.html
---- CALL A PAGE DIRECTLY OVER ADDRESS BAR: http://somedomain.com/someotherpage.html
        GET someotherpage.html --> referrer := null

So, to make the change of sessionkey work: I only change the sessionkey when the refer(r)er is null or I am changing to another page ... BUT that won't work when "Send referer" is turned off, like you could do when using Opera ... b/c then the refer(r)er is always null and I get into trouble when the client sends the request for style.css from the test.html-page b/c then the new sessionkey would be set, but the request for the style.css comes in with the old sessionkey ... so the easiest way (I think ... maybe I am missing something) would be to work with the refer(r)er ...

Answer 1

I think that you've overcomplicated this.

They have to have cookies enabled in order for session to work. Add a cookie with a copy of the current session key. Whenever an html file is requested, test to see if the cookie key and the session key's match. If they don't then you probably have a replay attack going on. Go ahead and ignore requests for .css, ., etc. All you really should care about is your html files.

Update the key and write it to your session variable and the cookie whenever an html file is requested.

With this referrer is immaterial (it can be spoofed anyway) and you are protected against replay; which, I think, is what your ultimately after.

Answer 2

Not sure what JavaScript you were hoping to use here but do keep in mind that if you are using JavaScript to set where the user is going to (e.g. the next page) then IE won't send the referrer at all!

So be weary of what magic you add to your page transitions.

Answer 3

Well, I won't say I understand your problem, but I may have a solution for referer simultation with JavaScript: you can use the window.name property for storing the last loaded URL, and before you overwrite it, it should store the last loaded page's URL.

(To be honest I haven't tested window.name for this purpose, but I indeed have used it for cross-domain communication...)

Hope this helps.