使用HTTP_REFERRER的安全性问题
[英]Security issues with using HTTP_REFERRER
问题描述
I have a webpage ("research.php") with links to PDF files and want to display a disclaimer ("disclaimer.html") before anyone sees the files. 
我有一个网页(“research.php”),其中包含PDF文件的链接,并希望在任何人看到文件之前显示免责声明(“disclaimer.html”)。 At the moment I've accomplished this by checking the value of HTTP_Referrer and redirecting if it's not from the disclaimer page. 目前我通过检查HTTP_Referrer的值并重定向(如果它不是来自免责声明页面)来完成此操作。
Code: 码:
$ref = $_SERVER['HTTP_REFERER'];
if($ref !== 'http://my.site.com/disclaimer.html') {
die('<META HTTP-EQUIV="Refresh" CONTENT="0;URL=disclaimer.html">');}
The research page contains links to PDF files that are held in a separate directory which is restricted to local access using .htaccess. 研究页面包含PDF文件的链接,这些文件保存在一个单独的目录中,该目录仅限于使用.htaccess进行本地访问。 PDFs are served by a PHP script ("download.php") that also checks HTTP_Referrer. PDF由PHP脚本(“download.php”)提供,该脚本也检查HTTP_Referrer。
I understand that the HTTP_Referrer variable can be spoofed, making this method insecure, and have a couple of questions: 我知道HTTP_Referrer变量可能是欺骗性的,使得这种方法不安全,并且有几个问题:
Firstly, is it possible for someone to link directly from a different website to either the research page or the download script and spoof HTTP_Referrer such that their visitors would be able to bypass the disclaimer? 首先,是否有人可以直接从不同的网站链接到研究页面或下载脚本,并欺骗HTTP_Referrer,以便他们的访问者可以绕过免责声明? Based on a different question , my understanding is that HTTP_Referrer can easily be spoofed on an individual's PC but that it's much harder to do it for a website visitor? 根据一个不同的问题 ,我的理解是HTTP_Referrer很容易在个人电脑上被欺骗,但对于网站访问者来说这很难吗?
Secondly, are there ways to make the download.php script more secure, for example by putting it in a directory restricted to local access using .htaccess? 其次,是否有办法使download.php脚本更安全,例如将其放在限制为使用.htaccess进行本地访问的目录中? I'm currently calling the script using a simple link of the form "a href="download.php?..." so my understanding is that this won't work - is that correct? 我目前正在使用“a href =”download.php?...形式的简单链接调用脚本,所以我的理解是这不起作用 - 这是正确的吗?
Any comments appreciated. 任何评论赞赏。 The bottom line is that I want it to be difficult / impossible to link to the pages or files from another website without showing the disclaimer or without the owner of that website actually storing the PDFs on their website. 最重要的是,我希望很难/不可能链接到来自其他网站的页面或文件而不显示免责声明或没有该网站的所有者实际将PDF存储在他们的网站上。 No doubt any solution will have certain vulnerabilities but what I'm trying to understand is how tricky it is for an experienced web designer to bypass the disclaimer page. 毫无疑问,任何解决方案都会有某些漏洞,但我想要了解的是,对于有经验的网页设计师来说,绕过免责声明页面是多么棘手。
UPDATE: jszobody's response below clearly outlines a better way of doing this and so answers the question - but I'd still be interested to know how much work is involved in spoofing HTTP_REFERRER from a link on a 3rd party website if anyone can explain it simply. 更新:jszobody在下面的回答清楚地概述了一个更好的方法,所以回答了这个问题 - 但我仍然有兴趣知道,如果有人能够解释它,从第三方网站上的链接欺骗HTTP_REFERRER涉及多少工作。
1 个解决方案
解决方案1
3 已采纳 2013-11-14 13:23:13
I'd consider using session for this. 我考虑使用会话。
On disclaimer.php: 在disclaimer.php上:
session_start();
$_SESSION['viewed_disclaimer'] = true;
On research.php: 关于research.php:
session_start();
if(!$_SESSION['viewed_disclaimer']) {
header("Location: disclaimer.php");
die();
}
You get the idea. 你明白了。 You could also protect the individual PDF files by not linking to them directly, but rather using a PHP passthrough script. 您也可以通过不直接链接到它们来保护单个PDF文件,而是使用PHP passthrough脚本。
Call it download.php: 叫它download.php:
session_start();
if(!$_SESSION['viewed_disclaimer']) {
header("Location: disclaimer.php");
die();
}
$filename = basename($_GET['filename']);
if(file_exists("path/to/my/pdfs/" . $filename) {
// Send headers for a PDF file, and read out the file
}
Then you can link to download.php?filename=myfile.pdf from research.php. 然后你可以从research.php链接到download.php?filename=myfile.pdf 。
Make sense? 说得通?
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.