Forum Discussion
hooleylist
Sep 10, 2008Cirrostratus
Hi,
I'm pretty sure that the server cannot influence what the client's browser sets as the referer header in requests. The browser generates the referer header value based on the link that the client accessed to generate the current request. Check RFC 2616 section 14.36 for details.
As the referer header and any other unencrypted HTTP header can be arbitrarily set by a malicious user, it's not a great idea to depend on this for access control. It would be much more secure to fix the application's authentication/authorization or potentially set an encrypted cookie when a client logs in and validate that on subsequent requests.
Aaron