05-29-2002, 09:25 PM
I am making a shopping cart, for security i need to know from where the post was made example only www.my.com/additem.asp can post to www.my.com/cart.asp and not anyother. So in cart.asp how can i make sure that the post was made was from which referrer?
06-03-2002, 07:33 AM
if Request.ServerVariables("HTTP_REFERER")<> "http://www.my.com/additem/" then
06-03-2002, 05:32 PM
Keep in mind that any HTTP header, including Referer, can easily be faked my even a novice user.
06-04-2002, 11:00 AM
Then how can I make sure that HTTP Refferer in asp cannot be faked?
Any solution to it or just have to get away with it?
06-04-2002, 02:28 PM
You can't prevent a user from faking the referer header. I'm sure that there is another way to secure your site, however I'm not positive as to what you're attempting to do, so a longer explanation is necessary.
06-04-2002, 03:07 PM
If only www.my.com/additem.asp can post to www.my.com/cart.asp
then it seems like you would want to pass a hidden form variable
with the cartID and also a some session number generated from
additem.asp that would change each time. If the session number
passed back matches the one just generated for the cartID, it
should be safe. The session number should expire after a certain
time, or become invalid if anyother page is requested. Not a
perfect solution, but in connectionless web programming, there