[OWASP-GUIDE] White paper: Authentication and Session Management on the Web
paul at westpoint.ltd.uk
Fri Feb 11 06:16:36 EST 2005
Yes, I think that's a good idea. So, requests with a referer that is not
a valid URL are treated as if there was no referer. The only way I could
see this falling down is if some web browser does:
However, as long as no common browser does this, I see no problem. If
doing so causes compatibility problems with some sites (and other
browsers have no problems) this would generally be seen as a problem
with the browser not the site.
>Yes, I very much like that approach, with the caveat I mentioned above.
>I'm thinking that when a Referer is stripped or modified that it is never
>changed to a valid URL, so this approach might be fine under the
>circumstances that the Referer is a valid but external URL. Anyone have a
>more authoritative answer?
Paul Johnston, GSEC
Internet Security Specialist
Albion Wharf, 19 Albion Street,
Manchester, M1 5LN
Tel: +44 (0)161 237 1028
Fax: +44 (0)161 237 1031
email: paul at westpoint.ltd.uk
More information about the Owasp-guide