HTTP-Referrer errors
HTTP-Referrer errors
Installation went fine but I cannot administrate the blog.
Every time I am trying to change something as admin the following error
message is displayed:
Your browser did not sent a valid HTTP-Referrer string ...
There is no indicattion in the error logs what went wrong. I am getting
this error message with several kind of browsers (firefox, konqueror,
opera, IE).
I installed in shared mode and as single instance but it's always the same. I also tried URL rewriting and disabled it. At each new install I dropped the database and removed all s9y files. I am working with postgresql 8.0, and php 4.4.1 .
TIA,
Werner
Every time I am trying to change something as admin the following error
message is displayed:
Your browser did not sent a valid HTTP-Referrer string ...
There is no indicattion in the error logs what went wrong. I am getting
this error message with several kind of browsers (firefox, konqueror,
opera, IE).
I installed in shared mode and as single instance but it's always the same. I also tried URL rewriting and disabled it. At each new install I dropped the database and removed all s9y files. I am working with postgresql 8.0, and php 4.4.1 .
TIA,
Werner
-
- Core Developer
- Posts: 30022
- Joined: Tue Sep 16, 2003 9:45 pm
- Location: Cologne, Germany
- Contact:
Re: HTTP-Referrer errors
The message you are getting is a security method of preventing so called Cross-Site Request Forgery attacks (CSRF). This is a way of other people tricking your browser into performing actions that you yourself did not want, like deleting entries or other things.
The browser HTTP Referer string is one method of verifying access. Your browser may be configured to not send a HTTP Referer string, or maybe some PRoxy system you are using does not submit it. You will need to inspect your system configuration (the client, not the server!) why no HTTP Referer is submitted.
You can bypass this check if you edit your serendipity_config_local.inc.php file and insert this line of code:
However this also prevents a security measure!
Best regards,
Garvin
The browser HTTP Referer string is one method of verifying access. Your browser may be configured to not send a HTTP Referer string, or maybe some PRoxy system you are using does not submit it. You will need to inspect your system configuration (the client, not the server!) why no HTTP Referer is submitted.
You can bypass this check if you edit your serendipity_config_local.inc.php file and insert this line of code:
Code: Select all
$_SERVER['HTTP_REFERER'] = 'fake';
Best regards,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
HTTP-Referrer errors
RFC 2616 says:
in another document but the same error occured although a referer field
is sent by my browser.
I guess the problem lies somewhere else. How can I get more debugging
info from serendepity?
Regards,
Werner
I tried to circumvent the error condition by creating a link to my blogThe Referer field MUST NOT be
sent if the Request-URI was obtained from a source that does not have
its own URI, such as input from the user keyboard.
in another document but the same error occured although a referer field
is sent by my browser.
I guess the problem lies somewhere else. How can I get more debugging
info from serendepity?
Regards,
Werner
-
- Core Developer
- Posts: 30022
- Joined: Tue Sep 16, 2003 9:45 pm
- Location: Cologne, Germany
- Contact:
Re: HTTP-Referrer errors
The referrer needs to be sent from your own blog domain, if the referrer was frmo another document on a different directory than s9y, the XSRF check will apply.
This does not apply for the first serendipity admin page, which can have an empty referrer.
But in your case I must admit I don't understand the problem, I've never yet heard of it. Is it possible that you can create me an s9y author account on your blog so that I can see it? We could then add some debugging there. I'd really like to find the root of this problem.
Regards,
Garvin
This does not apply for the first serendipity admin page, which can have an empty referrer.
But in your case I must admit I don't understand the problem, I've never yet heard of it. Is it possible that you can create me an s9y author account on your blog so that I can see it? We could then add some debugging there. I'd really like to find the root of this problem.
Regards,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
-
- Posts: 3
- Joined: Thu Jun 26, 2008 12:48 pm
- Contact:
Re: HTTP-Referrer errors
Excuse my english.
I have the same problem. After login->crete new post-> s9 return to login page whithout any errors. If i try to change some settings, s9 write (my translation from russian):
I have the same problem. After login->crete new post-> s9 return to login page whithout any errors. If i try to change some settings, s9 write (my translation from russian):
Disable HTTP_REFERER check is not secure and bad solution i suppose?Your browser did not send a valid HTTP-Referrer. bla bla bla Cross Site Request Forgery (XSRF) bla bla bla.
-
- Core Developer
- Posts: 30022
- Joined: Tue Sep 16, 2003 9:45 pm
- Location: Cologne, Germany
- Contact:
Re: HTTP-Referrer errors
Hi!
Which browser are you using, did you try a different one? Do you run other applications on the same server when you're working in s9y? It could be that sessions of a different application interfer (like phpMYAdmin). Also Proxies or other checkers could mess with the HTTP Referrer?
Regards,
Garvin
Which browser are you using, did you try a different one? Do you run other applications on the same server when you're working in s9y? It could be that sessions of a different application interfer (like phpMYAdmin). Also Proxies or other checkers could mess with the HTTP Referrer?
Regards,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
-
- Posts: 3
- Joined: Thu Jun 26, 2008 12:48 pm
- Contact:
Re: HTTP-Referrer errors
I try Opera, Mozilla, IE 7. Attempt to administrate blog from different computers. Blog works on s9 about 2 years, and this problem appears only today. Today i upgraded blog from v1.2 to v1.3.1 - its not to help.
Yes, also on hosting running other applications, but problems never appears.
And i use no proxy.
Yes, also on hosting running other applications, but problems never appears.
And i use no proxy.
-
- Core Developer
- Posts: 30022
- Joined: Tue Sep 16, 2003 9:45 pm
- Location: Cologne, Germany
- Contact:
Re: HTTP-Referrer errors
Hi!
Did you ask the server provider if he changed things? If this only started recently, something must have changed
Regards,
Garvin
Did you ask the server provider if he changed things? If this only started recently, something must have changed
Regards,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
-
- Posts: 3
- Joined: Thu Jun 26, 2008 12:48 pm
- Contact:
OK I found my problem.
I had deleted the "session.save_path" folder.
Let me give a little background...
My host had suspended my account because it was somehow being used a phishing site or whatever. So I guess I had something installed that was vulnerable or not secure. I started deleting files and folders that didn't look familiar.
Thanks.
I had deleted the "session.save_path" folder.
Let me give a little background...
My host had suspended my account because it was somehow being used a phishing site or whatever. So I guess I had something installed that was vulnerable or not secure. I started deleting files and folders that didn't look familiar.
Thanks.