WebApp Sec mailing list archives

Re: Re: HTTP REFERER not set in Internet Explorer

From: mike () sharecube com
Date: 18 Nov 2005 17:59:57 -0000


Hi Saqib,

If you want to track repeat customers, use cookies. If you want to track referers, use unique urls that contain a code 
that maps to refers in your data base.

One twist to cookies that I use is to store a public key of the user. They key is used to encode their password and 
send a digest. In this way, passwords are never sent (even over an SSL connection). I also never store passwords (only 
digests). 

If no cookie is available, I record the fact and encode the password using a general public key. I can then challenge 
the user.

Anyone with a bit of smarts can encrypt a password (just as they could randomly guess at a password), but they cannot 
steal passwords from the server (none there), or sniff using SSL sniff tools.

Mike

Current thread:

RE: HTTP REFERER not set in Internet Explorer, (continued)
- RE: HTTP REFERER not set in Internet Explorer Richard M. Smith (Nov 17)
- Re: HTTP REFERER not set in Internet Explorer Oleg Lecinski (Nov 17)
- RE: HTTP REFERER not set in Internet Explorer Amichai Shulman (Nov 17)
- RE: HTTP REFERER not set in Internet Explorer Jeff Robertson (Nov 17)
- RE: HTTP REFERER not set in Internet Explorer Einecker, Leah (Nov 17)
- RE: HTTP REFERER not set in Internet Explorer Ory Segal (Nov 17)
  - Re: HTTP REFERER not set in Internet Explorer Yutaka OIWA (Nov 17)
    - Re: HTTP REFERER not set in Internet Explorer Saqib Ali (Nov 17)
    - Re: HTTP REFERER not set in Internet Explorer Yutaka OIWA (Nov 18)
  - RE: HTTP REFERER not set in Internet Explorer drm (Nov 17)
- Re: Re: HTTP REFERER not set in Internet Explorer mike (Nov 18)
  - Re: Re: HTTP REFERER not set in Internet Explorer Saqib Ali (Nov 21)