Then, stipulate that only marked access is allowed:
Don’t use referrer places Do not use referrer for authentication or other very important checks, because referrer is very easy to be changed on the client side, whether it is through the firefox extension introduced above, or privoxy, or even libcurl call, so the referrer data is very Not credible. If you want to restrict users from accessing a certain entrance page, instead of using referer, it is better to use session, write the session on the entrance page, and then check on other pages. If the user has not visited the entrance page, then the corresponding session does not exist. , see discussion here. But as mentioned above, don’t put too much faith in the “verification” results of this method. Personally, I feel that in addition to being used to prevent hotlinking, the most common use of referrers is access statistics, such as statistics on which links users access from, etc. The http-referer variable has become increasingly unreliable and can be forged. Here's how to fake it: php (provided curl is installed):
php (use sock without curl)
js is not supported^_^ The principle is that sock constructs the http header to send data. Other languages such as perl can also be used. Currently, the simplest way to defend against forged referers is to use a verification code (session). Nowadays, there are some commercial companies that can prevent hotlinking software, such as uudog, linkgate, virtualwall, etc., all of which are developed and applied to dll on iis. Some use cookie verification and thread control, and some can randomly generate file names and then perform url rewriting. Some methods can indeed achieve good results. |