RE: HTTP REFERER not set in Internet Explorer

["drm" <drm () e-netaudit com>]

I have to agree don't rely on anything from the client for security.   But
for your referrer test - it does work, sort of :)

- result output from IE 6
Click Here;
http://www.google.com.au/search?hl=en&q=http%3A%2F%2Fwww.xml-dev.com%2Fblog%
2Freferer_test.php%3Faction%3Doutput&meta


Put http://www.xml-dev.com/blog/referer_test.php?action=output  into Google,
then click on the 'if URL is valid' link

The problem might be just the way you redirect IE

-DM


-----Original Message-----
From: Ory Segal [mailto:osegal () watchfire com] 
Sent: Thursday, 17 November 2005 10:19 PM
To: Saqib Ali; webappsec () securityfocus com
Subject: RE: HTTP REFERER not set in Internet Explorer

While we're at it - I'll join the mob, by saying:

Don't rely on the HTTP REFERER for security. :-)

-Ory

-----Original Message-----
From: Saqib Ali [mailto:docbook.xml () gmail com] 
Sent: Wednesday, November 16, 2005 6:17 PM
To: webappsec () securityfocus com
Subject: HTTP REFERER not set in Internet Explorer

Hello,

I am writing a secure application that tracks users on a website by use
of HTTP_REFERER. But see like Internet Explorer is not properly
populating this field.

Visit the following website using IE and Firefox.
http://www.xml-dev.com/blog/referer_test.php

And click on the Link that says "Click Here"

With Firefox, the correct HTTP_REFERER will be displayed after you click
the link. But with I.E. the HTTP_REFERER is set to blank.

Has anyone ran into this issue? How did you make your application
compatible with both I.E and Mozilla based browsers?

Because of some security concerns I need the HTTP_REFERER to be set
correctly. If it is not possible, I will have to restrict my users to a
Mozilla based browser.

--
In Peace,
Saqib Ali
http://www.xml-dev.com/blog/
Consensus is good, but informed dictatorship is better.