PHP forgery Referer use Referer to prevent pictures hotlinking

Source: Internet
Author: User
    1. # only allow access from don.com, the picture may be placed on the page of the Don.com website
    2. Setenvifnocase referer "^http://www.don.com/" Local_ref
    3. # Direct access via address
    4. Setenvif referer "^$" Local_ref
Copy Code

The marked access is then allowed:

    1. Order Allow,deny
    2. Allow from Env=local_ref
    3. Or
    4. Order Deny,allow
    5. Deny from all
    6. Allow from Env=local_ref
Copy Code

Do not use the Rerferer place

Do not use Rerferer for authentication or other very important checks, because Rerferer is very easy to change on the client, either through the Firefox extensions described above, or privoxy, or even libcurl calls, So the rerferer data is very unreliable. If you want to restrict the user from having access to a portal page, instead of using Referer, use the session, write to the session on the portal page, and then check on the other pages, if the user has not visited the portal page, then the corresponding session does not exist, see the discussion here. However, as mentioned above, do not believe too much in this way of "verification" results. Personal feeling now rerferer in addition to the use of anti-theft chain, other uses of the most is to access statistics, such as the statistics users are from where the link access to come and so on.

Http-referer This variable has become more and more unreliable, is completely can be forged out of the stuff. The following is a forgery method: PHP (provided that you have Curl installed):

    1. $ch = Curl_init ();
    2. curl_setopt ($ch, Curlopt_url, "http://www.d.cn/xxx.asp");
    3. curl_setopt ($ch, Curlopt_referer, "http://www.d.cn/");
    4. Curl_exec ($ch);
    5. Curl_close ($ch);
Copy Code

PHP (does not pack curl with sock)

    1. $server = ' www.dc9.cn ';
    2. $host = ' www.dc9.cn ';
    3. $target = '/xxx.asp ';
    4. $referer = ' http://www.d.cn/'; Referer
    5. $port = 80;
    6. $fp = Fsockopen ($server, $port, $errno, $errstr, 30);
    7. if (! $fp)
    8. {
    9. echo "$errstr ($errno)
      \ n ";
    10. }
    11. Else
    12. {
    13. $out = "Get $target http/1.1\r\n";
    14. $out. = "Host: $host \ r \ n";
    15. $out. = "cookie:aspsessionidsqtbqsda=dfcapklbbficdafmhnkigkeg\r\n";
    16. $out. = "Referer: $referer \ r \ n";
    17. $out. = "connection:close\r\n\r\n";
    18. Fwrite ($fp, $out);
    19. while (!feof ($FP))
    20. {
    21. Echo fgets ($FP, 128);
    22. }
    23. Fclose ($FP);
    24. }
    25. Javascript
    26. Xmlhttp.setrequestheader ("Referer", "Http://url");//hehe ~ fake ~
Copy Code

JS does not support ^_^

The principle is sock constructs the HTTP header to SendData. Other languages such as Perl can also, the relatively simple defense forgery Referer method is to use the verification Code (session). Now there are some commercial companies that can be anti-theft chain software, such as Uudog,linkgate,virtualwall, are developed to apply to IIS above the DLL. Some are the use of cookie authentication, thread control, some can randomly generate filenames and then do URL rewrite. Some methods can really achieve a good result.

  • Contact Us

    The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

    If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

    A Free Trial That Lets You Build Big!

    Start building with 50+ products and up to 12 months usage for Elastic Compute Service

    • Sales Support

      1 on 1 presale consultation

    • After-Sales Support

      24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.