Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

At work we use a central portal that provides basic SSO functionality to other a

ID: 659887 • Letter: A

Question

At work we use a central portal that provides basic SSO functionality to other applications. In addition to verifying the SSO data sent, all of our existing in-house applications (used by the public) also check the referrer header to make sure that the user is actually coming from our central portal. However, we just experienced an issue where a JavaScript code change in the central portal caused Internet Explorer to stop forwarding the referrer header, which brought down all the apps that check that header.

My question is whether checking the referrer header provides any real world security improvement over just checking the basic SSO information (encrypted user ID contained in a cookie)? If it doesn't, is there any documentation/research/etc. that I could use to prove this to management?

I should also mention that unfortunately the central portal is a third party app which we don't have much control over ... so basic SSO information in the form of an encrypted cookie and referrer header information is all we have to help secure things.

Explanation / Answer

Short answer: no.

Long answer: it depends.

Referer is a header sent and controlled by the client. You cannot trust any data coming unchecked from the client. As others pointed out, it can be easily manipulated. It can contain anything the attacker wants, so don't rely on it.

If your URL contain any crypto token(http://site.com/x.php?op=1&token=-random-data-), it could be marginally useful. You would have to check the token with a session variable to determine if the header was not tampered.

But even with a token, referer checking will only work until a new browser/plugin/extension/proxy begins stripping Referer header for privacy reasons.

If possible, you can try to use the IP address of the client tied to browser fingerprinting headers (User-Agent, Accept, Accept-Language) to get more layers of security. Keeping those headers on a sesssion variable, you can detect if someone stole the credentials of your user, if someone is trying to bypass authentication, and other attacks.

Related Questions

At what speed does a clock move if it is measured to run at a rate two-fifths th
Question #1402544
At what speed must the sliding rod in Figure 22.7 move to produce an emf of 1.00
Question #1376325
At what speed should air flow through a 50 cm^2 heating duct so the air in a 200
Question #1509791
At what stage in the development of cancer do the cancerous cells grow out of co
Question #280422
At what stage of meiosis, the chromosome number is reduced by half? Prophase I.
Question #312276
At what stage of snapdragon development would you screen for putative mutants in
Question #188976
At what step in the experimental process were benzene and biphenyl impurities re
Question #1020304
At what steps in the Krebs cycle are coenzymes reduced? How would you classify t
Question #163659

Navigate

Previous
At work we use RFID tags to enter the building and each floor. The tags double a
Next
At work, I\'m behind an NTLM Proxy. When the SSL Poodle flaw came out, I hardene

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.