uShop English (U.S.) for 179!

uStorekeeper English (U.S.) for 149!

 Products
       uTest
       uReserve
       uShop
       uStorekeeper
       uGolf
       uDirectory
       uSignIn
 Tech Support
       Support Policy
       Knowledge Base
            uTest
            uReserve
            uShop
            uStorekeeper
            uGolf
            uDirectory
            uSignIn
       Documentation
       Reference Sites
 Legal
       Software Piracy
       Legal Notices
       Privacy Policy
       Licensing
 Miscellaneous
       Reseller Info
       Contact Us
       Site Map
Referrer validation test

Knowledge Base Lobby : uShop Support Conference : Problems with trying to Place Orders
Nov-20-17 10:40 AM EST
Original Message
Referrer validation test
Author Jeff on 08-01-2002 at 07:26 (EST)
How much of a risk does leaving the referrer validation test turned off pose for us? Our problem is that our Thawte SSL certificate was issued for mastervisions.com and all of our existing links on the web lead to www.mastervisions.com. If we set our script to mastervisions.com, then anyone entering from an existing link will get an Illegal Referrer Page when they try to order. If we set our script to www.mastervisions.com and submit that URL for inclusion on Yahoo, our URL will not match our certificate, which, according to what I've heard, will cause Yahoo to reject our submission and we'll get nothing for our $300 submission fee. Is there any way to get the script to accept both forms of our URL? And if not, how much risk are we taking by not doing the Referrer Validation Test? Thanks for clearing this up.
E-MAIL AUTHOR | TABLE OF CONTENTS

Table Of Contents
  RE: Referrer validation test Bill Weiner, 2002-08-02 04:42:23 (1)

Messages In This Discussion
         1. RE: Referrer validation test
        Author Bill Weiner on 08-02-2002 at 04:42 (EST)
Really the "Referrer Validation Checks" are over-kill and not really necessary. That is, the uShop CGI scripts will validate all user (and non-user) input at each stage in the order process, so the Referral Page validation check is really not necessary.

There is one place, however, that the referral validation check might be desired... and that is the point at which the Java-side of things transfers over to the CGI-side of things - the point directly after the "display_cart" page. This is the referral check that is controlled by the "Referral Page Validation" setting on the uShop Control Panel under GENERAL SETTINGS - MISCELLANEOUS. If - and only if - you are using the full URL as the CODEBASE in your applets (instead of the recommended relative CODEBASE setting of "../classes/") AND you turn the "Referral Page Validation" off, then technically, someone could duplicate your store pages on their local computer, change the price in the applets, and then submit the order with their adjusted prices. This would be a very rare case and most small storeowners would immediately recognize if their product prices were discounted when they look at the order.... And again, even with "Referral Page Validation" turned off, it would not be possible unless you are using the full URL as the codebase setting in your applets... which most storeowners do not use (most storeowners use the recommended codebase setting of "../classes/").

So in summary, if you are using a relative codebase setting in your applets (such as "../classes/"), then there is absolutely no risk in turning "Referral Page Validation" off.

If you are using the FULL URL of your classes directory as the codebase setting in your applets, then if you turn "Referral Page Validation" off, then technically, someone could try to submit an order with modified product prices. (Something that the storeowner would probably spot anyway.)

Just FYI, here are a couple links to postings in the forum that allow for the use of the referral page validation with multiple domains:

A quick trick on how to allow links with or without the "www" in the URL:
http://www.uburst.com/dcforum/ushop_cgi/157.html

Instructions on how to allow a list of URLs:
http://www.uburst.com/dcforum/ushop_cgi/131.html
TABLE OF CONTENTS

© 2003 Microburst Technologies, Inc.