Forum Discussion

Nimbostratus

Sep 10, 2008

iRule to match http referer to be Null

Currently www.abc.com/login.html is getting redirected to www.abc.com/private/login.html as per the code. www.abc.com/private/login.html has header referer enabled and set is to www.abc...

Cirrostratus

Sep 10, 2008

Hi,

I'm pretty sure that the server cannot influence what the client's browser sets as the referer header in requests. The browser generates the referer header value based on the link that the client accessed to generate the current request. Check RFC 2616 section 14.36 for details.

As the referer header and any other unencrypted HTTP header can be arbitrarily set by a malicious user, it's not a great idea to depend on this for access control. It would be much more secure to fix the application's authentication/authorization or potentially set an encrypted cookie when a client logs in and validate that on subsequent requests.

Aaron

Forum Discussion

iRule to match http referer to be Null

Recent Discussions

Server 2 causing application slowness

F5Access | MacOS Sonoma

AS3 Deployments (shared objects)

Inquiry on F5's Maintenance Mode Feature for Pool Members

Ansible modules for F5OS

Related Content

IRULE help for HTTP Referer value

/32 IPs in Datagroup class match not matching

Reference iFile inside CSS file - Is it possible?

Where is a class match list located?

401 unauthorized return if header doesn't match