|Referrer validation test|
|Referrer validation test|
Author Jeff on 08-01-2002 at 07:26 (EST)
|How much of a risk does leaving the referrer validation test turned off pose for us? Our problem is that our Thawte SSL certificate was issued for mastervisions.com and all of our existing links on the web lead to www.mastervisions.com. If we set our script to mastervisions.com, then anyone entering from an existing link will get an Illegal Referrer Page when they try to order. If we set our script to www.mastervisions.com and submit that URL for inclusion on Yahoo, our URL will not match our certificate, which, according to what I've heard, will cause Yahoo to reject our submission and we'll get nothing for our $300 submission fee. Is there any way to get the script to accept both forms of our URL? And if not, how much risk are we taking by not doing the Referrer Validation Test? Thanks for clearing this up.
|Messages In This Discussion|
| 1. RE: Referrer validation test|
Author Bill Weiner on 08-02-2002 at 04:42 (EST)
|Really the "Referrer Validation Checks" are over-kill and not really necessary. That is, the uShop CGI scripts will validate all user (and non-user) input at each stage in the order process, so the Referral Page validation check is really not necessary.|
There is one place, however, that the referral validation check might be desired... and that is the point at which the Java-side of things transfers over to the CGI-side of things - the point directly after the "display_cart" page. This is the referral check that is controlled by the "Referral Page Validation" setting on the uShop Control Panel under GENERAL SETTINGS - MISCELLANEOUS. If - and only if - you are using the full URL as the CODEBASE in your applets (instead of the recommended relative CODEBASE setting of "../classes/") AND you turn the "Referral Page Validation" off, then technically, someone could duplicate your store pages on their local computer, change the price in the applets, and then submit the order with their adjusted prices. This would be a very rare case and most small storeowners would immediately recognize if their product prices were discounted when they look at the order.... And again, even with "Referral Page Validation" turned off, it would not be possible unless you are using the full URL as the codebase setting in your applets... which most storeowners do not use (most storeowners use the recommended codebase setting of "../classes/").
So in summary, if you are using a relative codebase setting in your applets (such as "../classes/"), then there is absolutely no risk in turning "Referral Page Validation" off.
If you are using the FULL URL of your classes directory as the codebase setting in your applets, then if you turn "Referral Page Validation" off, then technically, someone could try to submit an order with modified product prices. (Something that the storeowner would probably spot anyway.)
Just FYI, here are a couple links to postings in the forum that allow for the use of the referral page validation with multiple domains:
A quick trick on how to allow links with or without the "www" in the URL:
Instructions on how to allow a list of URLs: