xoops forums

rider

Just popping in
Posted on: 2005/8/22 20:53
rider
rider (Show more)
Just popping in
Posts: 56
Since: 2003/6/18
#11

Re: HTTP_REFERER Error

There is one other thing you might like to check.

In MainFile.php there is a line that tells you the address of the site, e.g. http://127.0.0.1.

I noticed that on my site there was a trailing /. XOOPS still worked but every time I clicked on a link it would log me out and when I logged in again it would bring up this error.

I only noticed the error when my URL bar kept showing: http://127.0.0.1//modules/news etc.

Double check mainfile.php and remove any trailing / from the URL.
Darryn Lowe
Rider NZ...

Audio

Just popping in
Posted on: 2005/8/29 2:01
Audio
Audio (Show more)
Just popping in
Posts: 1
Since: 2005/8/29
#12

Re: HTTP_REFERER Error

I had the HTTP_REFERER problem too, and it was driving me up the wall. I finally tracked down a fix here:

https://xoops.org/modules/smartfaq/faq.php?faqid=310

The fix at that URL is for pre-2.2.x versions. So here's the hack for 2.2.x versions:

Open the file class/xoopssecurity.php

On line 167 or so you'll find the following code:

/**
    * Check the user agent's HTTP REFERER against XOOPS_URL
    *
    * @param int $docheck 0 to not check the referer
 (used with XML-RPC), 1 to actively check it
    *
    * @return bool
    **/
    
function checkReferer($docheck=1)
    {
        if (
$docheck == 0) {
            return 
true;
        }
        
$ref xoops_getenv('HTTP_REFERER');
        if (
$ref == '') {
            return 
false;
        }
        
$pref parse_url($ref);
        if ( 
$pref['host'] != $_SERVER['HTTP_HOST'] ) {
            return 
false;
        }
        return 
true;
    }


Change

$ref xoops_getenv('HTTP_REFERER');
        if (
$ref == '') {
            return 
false;


to

$ref xoops_getenv('HTTP_REFERER');
        if (
$ref == '') {
            return 
true;


and you're in business.

I have no idea how this affects the overall security of your site, so make this hack at YOUR OWN RISK! The poster at https://xoops.org/modules/smartfaq/faq.php?faqid=310 seems to think it's okay, but you should probably take steps to find out for yourself . . .

dean_collins

Not too shy to talk
Posted on: 2005/8/29 4:23
dean_collins
dean_collins (Show more)
Not too shy to talk
Posts: 197
Since: 2005/7/10
#13

Re: HTTP_REFERER Error

hi, I had this problem as well but I found out it was related to running a linux apache XOOPS site behind an isa 2004 firewall and it not passing on headers correctly.

Dean
My Xoops site
www.aussienymeetup.net

wsecomp

Just popping in
Posted on: 2005/9/15 19:06
wsecomp
wsecomp (Show more)
Just popping in
Posts: 8
Since: 2005/5/5 2
#14

Re: HTTP_REFERER Error

I tried that hack and I'm still getting the error. I tried the browser_check and PASSED all tests.

I've even tried on the computer that XOOPS is loaded on...same thing.

This is getting annoying!

We're running this on Win2K (IIS 5). (( no gunshots please...it's for work ))

-- Matt

EDIT: Through some searching on the web I found the answer... although its not real secure, it's allowing me to get stuff done in the mean time.

It's similar to the hack above, but I just went a little further:

In your 'xoopssecurity' file find the 'checkReferer' function. Then, anything that says 'return false;' change to 'return true;'. So when you're done, it should look like this:
Quote:

function checkReferer($docheck=1)
{
if ($docheck == 0) {
return true;
}
$ref = xoops_getenv('HTTP_REFERER');
if ($ref == '') {
return true;
}
$pref = parse_url($ref);
if ( $pref['host'] != $_SERVER['HTTP_HOST'] ) {
return true;
}
return true;
}


NOW, if the hack in the previous post (2 or 3 above this one) works, I strongly suggest you use it. Basically, following my direction turns off ALL referring checks.

I don't know much about PHP, so I can't decipher what all of the variables are, and where they are coming from. But, if someone wants to take this idea and run with it, and figure out WHY the referer check is so strict that it's causing a bunch of people problems, go for it!

dean_collins

Not too shy to talk
Posted on: 2005/9/15 19:16
dean_collins
dean_collins (Show more)
Not too shy to talk
Posts: 197
Since: 2005/7/10
#15

Re: HTTP_REFERER Error

Sorry it wont solve your problem but... I found out it wasn't because of isa 2004 that I was having this problem.

it's actually turned out to be because of a space between the last parenthesis


// XOOPS Physical Path
// Physical path to your main XOOPS directory WITHOUT trailing slash
// Example: define('XOOPS_ROOT_PATH', '/var/www/apache2-default');
define('XOOPS_ROOT_PATH', '/var/www');

// XOOPS Virtual Path (URL)
// Virtual path to your main XOOPS directory WITHOUT trailing slash
// Example: define('XOOPS_URL', '/apache2-default');
define('XOOPS_URL', '');

here is the correct way it should be.

I used to have it as
define('XOOPS_URL', ' ');

which is what was causing the problem.

Cheers,
Dean
My Xoops site
www.aussienymeetup.net

toddherrold

Quite a regular
Posted on: 2005/12/15 3:18
toddherrold
toddherrold (Show more)
Quite a regular
Posts: 274
Since: 2004/6/13
#16

Re: HTTP_REFERER Error

I'm getting lots of "no valid security token" and "invalid session" and "http_referrer" errors on my wordpress blog since upgrading to XOOPS 2.2.3 and hope this helps. So far, so good after changing all falses to true.

Khepri

Just popping in
Posted on: 2005/12/29 0:40
Khepri
Khepri (Show more)
Just popping in
Posts: 35
Since: 2005/8/25
#17

Re: HTTP_REFERER Error

I'm getting this after running the update script (to 2.2.3a) on a 2.0.13.1 install....

Here's the difference...I've run the update on three installs with no trouble (in the end..LOL)...

But the fourth install, doing the exact same thing yeild the http_referrer error....

The difference? The fourth install is on a server that has a private SSL cert installed on it. It was installed on www.site.com, but I notice that XOOPS keeps stripping the www out and redirecting to site.com...and I get the error...

The tech that installed the cert suggested to put it under www.site.com...I email the servers support but I'm thinking their going to say it's a XOOPS problem...which judging by this thread I'm inclined to believe...:)

Is this a DNS issue? Or is it something in XOOPS?

UPDATE: Upon further investigation I find that XOOPS "works" as long as I stick with the site.com format URI...the second www is prepended the warnings start....on 2.2.3a

UPDATE2:

I tried switching authentication method to LDAP...now I'm locked out of the site because the LDAP module won't load...

I also installed to subdomain.site.com...works great!

The issue seem to be XOOPS NOT treating www.site.com and site.com as one in the same...

If I log into site.com...all is okay...while logged in if I migrate via the address bar in the FF browser to www.site.com...it wants me to login again. Which of course, it won't let me, because upon submitting the login I get redirected to site.com with a error message that it's the wrong password....

I think I'm just going to go baCK TO 2.0.13.2..disappointed.

UPDATE3: NAH, SCREW THAT! I'm going to make this work...it works on another domain install to webroot!

Any suggestions are appreciated...

UPDATE4: This appears to have corrected the situation somewhat...I'm not getting the http_referrer warning anymore....however if I attempt to login at site.com instead of www.site.com it doesn't know who I am...

This is from the FAQ;

"This could be caused by not having the XOOPS_URL and/or PHYSICAL_PATH in mainfile.php set to exactly where the website is located. This means that redirects do not work, as XOOPS checks the URL you logged into to the URL you are at, and if the base URL doesn't match (ie. www.xoops.org vs. xoops.org without www), you're not recognised as logged in."

Mine said "site.com"...it gave me http_referrer warning...I changed it to "www.site.com" (which matches a CNAME in my DNS) I no longer get the warning and redirect does indeed work now...that'll work for now...but there should be a way to handle that discrepency...imo.
Moo.

JamesSAEP

Just can't stay away
Posted on: 2005/12/29 17:15
JamesSAEP
JamesSAEP (Show more)
Just can't stay away
Posts: 732
Since: 2005/2/28
#18

Re: HTTP_REFERER Error

I'm still having this problem with one of my sites.

I have my primary site: www.domain.com/site1 which works fine when I type the url into a browser.

My second site is installed in a second folder at: www.domain.com/site2 and this is the one that has a problem.

When I type in the full ulr http://www.domain.com/site2 the browser is redirected to http://domain.com/site2. As soon as I login, the browser is then redirected to the url with "http://www.domain.com/site2" and gives the HTTP_REFER error.

The mainfile.php does have the correct settings:

define('XOOPS_ROOT_PATH', '/public_html/domain.com/site2');

define('XOOPS_URL', 'http://www.domain.com/site2');

1. Why would this misdirection happen?

2. Is there a way to put in a htaccess that will direct it to the url with the "http://www." ?

Thanks.

JamesSAEP

Just can't stay away
Posted on: 2005/12/29 19:25
JamesSAEP
JamesSAEP (Show more)
Just can't stay away
Posts: 732
Since: 2005/2/28
#19

Re: HTTP_REFERER Error

Ok, after further investigation, the redirect to the "http://domain.com/site2" only happens on the initial page load. If you click any of the Main Menu links (Home, Newbb, News, etc) the browser address has the "http://www." added.

So, this seems to be only a problem on the initial site load.

Any thoughts?

Khepri

Just popping in
Posted on: 2005/12/30 0:00
Khepri
Khepri (Show more)
Just popping in
Posts: 35
Since: 2005/8/25
#20

Re: HTTP_REFERER Error

Did you try adding the www. to this?;

define('XOOPS_ROOT_PATH', '/public_html/domain.com/site2');

Seem like it is passing that to the browser and you get that weird redirect.

I don't seem to have that problem as my wehost uses a user name there instead of a domain name....
Moo.