tags:

views:

452

answers:

3
+1  Q: 

http_referer lost using https

Picture two web pages, both viewed using https. They reside on different domains.

How can I (reasonably) ensure that someone arriving at my page came via a hyperlink that resides on another (specific) domain? I only want to allow traffic from that domain. Any ideas on the best way to accomplish this would be appreciated.

I tried looking at the HTTP_REFERER, but apparently it is not being sent in this case. I know that the HTTP RFC specifies not sending the referrer info from https -> http, but does this also apply to https -> https across domains or ssl certs?

My domain runs on ASP.NET if it matters. I have no control over the source domain.

Thank you.

+3  A: 

Whether or not the RFCs allow the sending of http_referer or not, you'll find that many web clients and/or the proxies or other privacy-related gateways between it and the server will remove or spoof the http_referer in the header, rending most http_referer-based "authentication" scheme partially functional at best.

If you have some collaboration with the custodian of the first https server, you may agree on passing along a time+something_else-based hash code of sort in the requests to your server. By verifying the hashcode on your end, you'll known your https visitor came from the other server [very recently].

mjv  2009-09-07 20:43:08
+2  A: 

Elaborating on mjv's response: you should put HMAC (RFC 2104) into the URL. Have a shared secret between the two servers, and have the originating server generate links of the form /timestamp/hmac/path. The hmac should be verified from hmac(key, timestamp+path), so that different images generate different hmacs. The target server can then decide whether the timestamp is young enough to originate from a redirect.

You can further restrict that by putting the IP address of the client into the hmac, requring that the same client that received the URL is also resolving it. That may be error-prone, though, in the presence of HTTP proxies which process only http and not https or vice versa.

Martin v. Löwis  2009-09-07 22:51:05
A: 

If you've got no control over the referring site you are out of luck.

Sniff the referrer if you can, and if it's not present throw up a landing page that says "click here go to site A so you can come back here".

Additionally, spend some time working on a more robust method of accessing your 'secure' site.

Antony  2009-09-07 23:20:56
That's my problem, the fact that the referrer is not present when someone arrives from site A. I need that "go to site A" error to show up for everyone else.As for accessing the site, site A directs people to my login page. They can't do much without a login other than admire the work of my graphic designers.
BlueRonin  2009-09-08 12:07:43

related questions

How would you implement a secure static login credentials system in Java?
Blocking https url's in a embedded gecko browser
Restrict Apache to only allow access using SSL for some directories
How to put up an off-the-shelf https to http gateway?
Rails SSL Requirement plugin -- shouldn't it check to see if you're in production mode before redirecting to https?
What's the best way to learn server RESTful code?
Force HTTPS. How is it possible?
How can I get LWP to validate SSL server certificates?
What must I do to make content such as images served over HTTPS be cached client-side?
What does a PHP developer need to know about https / secure socket layer connections?
What's a clean/simple way to ensure the security of a page?
Making sure a web page is not cached, across all browsers.
Best way in asp.net to force https for an entire site?
Any way to handle Put and Delete verbs in ASP.Net MVC?
Response.Redirect with POST instead of Get?
How to get the correct Content-Length for a POST request.
IIS7: HTTP->HTTPS Cleanly
[ASP.NET ERROR] The request was aborted: Could not create SSL/TLS secure channel.
Testing HTTPS files with MAMP
How do banks remember "your computer"?
Avoid traffic shaping by using ssh on port 443
Convince Firefox to send an If-Modified-Since header over HTTPS
How do you redirect HTTPS to HTTP?
Using mod_rewrite to Mimic SSL Virtual Hosts?
Options for Google Maps over SSL