HTTP-Referrer errors

werner_reis · Post by **werner_reis** » Sat Jan 21, 2006 11:34 pm

Installation went fine but I cannot administrate the blog.

Every time I am trying to change something as admin the following error
message is displayed:

Your browser did not sent a valid HTTP-Referrer string ...

There is no indicattion in the error logs what went wrong. I am getting
this error message with several kind of browsers (firefox, konqueror,
opera, IE).

I installed in shared mode and as single instance but it's always the same. I also tried URL rewriting and disabled it. At each new install I dropped the database and removed all s9y files. I am working with postgresql 8.0, and php 4.4.1 .

TIA,

Werner

Post by **garvinhicking** » Sun Jan 22, 2006 1:28 am

The message you are getting is a security method of preventing so called Cross-Site Request Forgery attacks (CSRF). This is a way of other people tricking your browser into performing actions that you yourself did not want, like deleting entries or other things.

The browser HTTP Referer string is one method of verifying access. Your browser may be configured to not send a HTTP Referer string, or maybe some PRoxy system you are using does not submit it. You will need to inspect your system configuration (the client, not the server!) why no HTTP Referer is submitted.

You can bypass this check if you edit your serendipity_config_local.inc.php file and insert this line of code:

Code: Select all

$_SERVER['HTTP_REFERER'] = 'fake';

However this also prevents a security measure!

Best regards,
Garvin

werner_reis · Post by **werner_reis** » Mon Jan 23, 2006 4:36 pm

RFC 2616 says:

The Referer field MUST NOT be
sent if the Request-URI was obtained from a source that does not have
its own URI, such as input from the user keyboard.

I tried to circumvent the error condition by creating a link to my blog
in another document but the same error occured although a referer field
is sent by my browser.

I guess the problem lies somewhere else. How can I get more debugging
info from serendepity?

Regards,

Werner

Post by **garvinhicking** » Mon Jan 23, 2006 7:40 pm

The referrer needs to be sent from your own blog domain, if the referrer was frmo another document on a different directory than s9y, the XSRF check will apply.

This does not apply for the first serendipity admin page, which can have an empty referrer.

But in your case I must admit I don't understand the problem, I've never yet heard of it. Is it possible that you can create me an s9y author account on your blog so that I can see it? We could then add some debugging there. I'd really like to find the root of this problem.

Regards,
Garvin

webmaster-key · Post by **webmaster-key** » Thu Jun 26, 2008 2:36 pm

Excuse my english.

I have the same problem. After login->crete new post-> s9 return to login page whithout any errors. If i try to change some settings, s9 write (my translation from russian):

Your browser did not send a valid HTTP-Referrer. bla bla bla Cross Site Request Forgery (XSRF) bla bla bla.

Disable HTTP_REFERER check is not secure and bad solution i suppose?

Post by **garvinhicking** » Thu Jun 26, 2008 3:30 pm

Hi!

Which browser are you using, did you try a different one? Do you run other applications on the same server when you're working in s9y? It could be that sessions of a different application interfer (like phpMYAdmin). Also Proxies or other checkers could mess with the HTTP Referrer?

Regards,
Garvin

webmaster-key · Post by **webmaster-key** » Thu Jun 26, 2008 4:02 pm

I try Opera, Mozilla, IE 7. Attempt to administrate blog from different computers. Blog works on s9 about 2 years, and this problem appears only today. Today i upgraded blog from v1.2 to v1.3.1 - its not to help.
Yes, also on hosting running other applications, but problems never appears.
And i use no proxy.

Post by **garvinhicking** » Thu Jun 26, 2008 4:43 pm

Hi!

Did you ask the server provider if he changed things? If this only started recently, something must have changed

Regards,
Garvin

webmaster-key · Post by **webmaster-key** » Thu Jun 26, 2008 8:59 pm

Provider say, dont change anything. 5 min ago s9 is begin to work correct. I dont understand, what was wrong, and maybe it can repeat again.

locojoe · Post by **locojoe** » Mon Jun 30, 2008 2:59 am

I too am now getting this error since upgrading to 1.3.1. Now that I think about it I may have encountered this same problem on a previous upgrade.
I'll go do some searching of the forums.

locojoe · Post by **locojoe** » Mon Jun 30, 2008 4:43 am

I just tried inserting the bypass code like you stated above and still get the same error.

I am running multiple blogs on the same host and domain and they now all have this problem after upgrading.

locojoe · Post by **locojoe** » Mon Jun 30, 2008 5:39 am

OK I found my problem.

I had deleted the "session.save_path" folder.

Let me give a little background...
My host had suspended my account because it was somehow being used a phishing site or whatever. So I guess I had something installed that was vulnerable or not secure. I started deleting files and folders that didn't look familiar.

Thanks.