- # only allow access from don.com, the picture may be placed on the page of the Don.com website
- Setenvifnocase referer "^http://www.don.com/" Local_ref
- # Direct access via address
- Setenvif referer "^$" Local_ref
Copy CodeThe marked access is then allowed:
-
- Order Allow,deny
- Allow from Env=local_ref
- Or
-
- Order Deny,allow
- Deny from all
- Allow from Env=local_ref
Copy CodeDo not use the Rerferer place Do not use Rerferer for authentication or other very important checks, because Rerferer is very easy to change on the client, either through the Firefox extensions described above, or privoxy, or even libcurl calls, So the rerferer data is very unreliable. If you want to restrict the user from having access to a portal page, instead of using Referer, use the session, write to the session on the portal page, and then check on the other pages, if the user has not visited the portal page, then the corresponding session does not exist, see the discussion here. However, as mentioned above, do not believe too much in this way of "verification" results. Personal feeling now rerferer in addition to the use of anti-theft chain, other uses of the most is to access statistics, such as the statistics users are from where the link access to come and so on. Http-referer This variable has become more and more unreliable, is completely can be forged out of the stuff. The following is a forgery method: PHP (provided that you have Curl installed):
- $ch = Curl_init ();
- curl_setopt ($ch, Curlopt_url, "http://www.d.cn/xxx.asp");
- curl_setopt ($ch, Curlopt_referer, "http://www.d.cn/");
- Curl_exec ($ch);
- Curl_close ($ch);
Copy CodePHP (does not pack curl with sock)
- $server = ' www.dc9.cn ';
- $host = ' www.dc9.cn ';
- $target = '/xxx.asp ';
- $referer = ' http://www.d.cn/'; Referer
- $port = 80;
- $fp = Fsockopen ($server, $port, $errno, $errstr, 30);
- if (! $fp)
- {
- echo "$errstr ($errno)
\ n ";
- }
- Else
- {
- $out = "Get $target http/1.1\r\n";
- $out. = "Host: $host \ r \ n";
- $out. = "cookie:aspsessionidsqtbqsda=dfcapklbbficdafmhnkigkeg\r\n";
- $out. = "Referer: $referer \ r \ n";
- $out. = "connection:close\r\n\r\n";
- Fwrite ($fp, $out);
- while (!feof ($FP))
- {
- Echo fgets ($FP, 128);
- }
- Fclose ($FP);
- }
- Javascript
- Xmlhttp.setrequestheader ("Referer", "Http://url");//hehe ~ fake ~
Copy CodeJS does not support ^_^ The principle is sock constructs the HTTP header to SendData. Other languages such as Perl can also, the relatively simple defense forgery Referer method is to use the verification Code (session). Now there are some commercial companies that can be anti-theft chain software, such as Uudog,linkgate,virtualwall, are developed to apply to IIS above the DLL. Some are the use of cookie authentication, thread control, some can randomly generate filenames and then do URL rewrite. Some methods can really achieve a good result. |