[OWASP-GUIDE] White paper: Authentication and Session Management on the Web

Paul Johnston paul at westpoint.ltd.uk
Fri Feb 11 06:16:36 EST 2005


Yes, I think that's a good idea. So, requests with a referer that is not 
a valid URL are treated as if there was no referer. The only way I could 
see this falling down is if some web browser does:

Referer: http://www.browser.com/annoying_advert.html

However, as long as no common browser does this, I see no problem. If 
doing so causes compatibility problems with some sites (and other 
browsers have no problems) this would generally be seen as a problem 
with the browser not the site.



>Yes, I very much like that approach, with the caveat I mentioned above.
>I'm thinking that when a Referer is stripped or modified that it is never
>changed to a valid URL, so this approach might be fine under the
>circumstances that the Referer is a valid but external URL. Anyone have a
>more authoritative answer?
Paul Johnston, GSEC
Internet Security Specialist
Westpoint Limited
Albion Wharf, 19 Albion Street,
Manchester, M1 5LN
Tel: +44 (0)161 237 1028
Fax: +44 (0)161 237 1031
email: paul at westpoint.ltd.uk
web: www.westpoint.ltd.uk

More information about the Owasp-guide mailing list