www.uburst.com www.uburst.com

"Referrer validation test"

Go back to the LobbyClick here to Go Back to Main ListingClick here to see helpClick here to Search the Forum

Problems with trying to place orders.
Forum Type: Public
Moderator: edmunds
Time Zone: EST
Printer Friendly Format
Original Message
 
"Referrer validation test"
Posted by Jeff on Aug-01-02 at 07:26 AM (EST)
How much of a risk does leaving the referrer validation test turned off pose for us? Our problem is that our Thawte SSL certificate was issued for mastervisions.com and all of our existing links on the web lead to www.mastervisions.com. If we set our script to mastervisions.com, then anyone entering from an existing link will get an Illegal Referrer Page when they try to order. If we set our script to www.mastervisions.com and submit that URL for inclusion on Yahoo, our URL will not match our certificate, which, according to what I've heard, will cause Yahoo to reject our submission and we'll get nothing for our $300 submission fee. Is there any way to get the script to accept both forms of our URL? And if not, how much risk are we taking by not doing the Referrer Validation Test? Thanks for clearing this up.
Click to Send Alert Message to the Administrator Click to edit this messageClick to EMail Click here to reply to this messageClick here to reply to this message with quotesClick to goto the Table of Contents

 Table of Contents

RE: Referrer validation test, Bill Weiner, Aug-02-02, (1)

 

 
Click here to goto Click here to goto the Lobby
Messages in this discussion
 
1 . "RE: Referrer validation test"
Posted by Bill Weiner on Aug-02-02 at 04:42 AM (EST)
Really the "Referrer Validation Checks" are over-kill and not really necessary. That is, the uShop CGI scripts will validate all user (and non-user) input at each stage in the order process, so the Referral Page validation check is really not necessary.

There is one place, however, that the referral validation check might be desired... and that is the point at which the Java-side of things transfers over to the CGI-side of things - the point directly after the "display_cart" page. This is the referral check that is controlled by the "Referral Page Validation" setting on the uShop Control Panel under GENERAL SETTINGS - MISCELLANEOUS. If - and only if - you are using the full URL as the CODEBASE in your applets (instead of the recommended relative CODEBASE setting of "../classes/") AND you turn the "Referral Page Validation" off, then technically, someone could duplicate your store pages on their local computer, change the price in the applets, and then submit the order with their adjusted prices. This would be a very rare case and most small storeowners would immediately recognize if their product prices were discounted when they look at the order.... And again, even with "Referral Page Validation" turned off, it would not be possible unless you are using the full URL as the codebase setting in your applets... which most storeowners do not use (most storeowners use the recommended codebase setting of "../classes/").

So in summary, if you are using a relative codebase setting in your applets (such as "../classes/"), then there is absolutely no risk in turning "Referral Page Validation" off.

If you are using the FULL URL of your classes directory as the codebase setting in your applets, then if you turn "Referral Page Validation" off, then technically, someone could try to submit an order with modified product prices. (Something that the storeowner would probably spot anyway.)

Just FYI, here are a couple links to postings in the forum that allow for the use of the referral page validation with multiple domains:

A quick trick on how to allow links with or without the "www" in the URL:
http://www.uburst.com/dcforum/ushop_cgi/157.html

Instructions on how to allow a list of URLs:
http://www.uburst.com/dcforum/ushop_cgi/131.html

Remove this Message: Administrator and Moderator onlyClick to Send Alert Message to the Administrator Click to edit this messageClick here to reply to this messageClick here to reply to this message with quotesClick to goto the Table of Contents


Archive This Thread: Admin and Moderator OnlyRemove This Thread: Admin and Moderator Only
Click here to goto Click here to goto the Lobby

 

 

 

 

 

 

 

 

 

 

 

 
Questions or problems regarding this bulletin board should be directed to Webmaster
©1997-1999 by DCScripts. All rights reserved.