How do you disable the check for referrer information?
If you have users on your own site who cannot post in forums or add other information to the site due to their firewall or some other software that is blocking the referrer information, then you may want to turn off the referrer check in the XOOPS code.
For more info about the referrer information problem, check out this question:
https://xoops.org/modules/smartfaq/faq.php?faqid=9
[There is a comment with detailed instructions for fixing the problem from the firewall end, but that requires all your users with the problem to successfully follow those steps, which chances are they will not all do, hence the need to be able to turn off the check in your XOOPS site.]
To turn off the referrer check, add a line to the function xoops_refcheck() in include/functions.php file, around line 137:
This information applies to XOOPS 2.0.7, and possibly earlier and later versions too. (Hopefully a system configuration option will be added in the future to turn this off without a hack).
Thanks to Mithrandir for this information, found in his post in the following thread:
https://xoops.org/modules/newbb/viewtopic.php?topic_id=25989
For more info about the referrer information problem, check out this question:
https://xoops.org/modules/smartfaq/faq.php?faqid=9
[There is a comment with detailed instructions for fixing the problem from the firewall end, but that requires all your users with the problem to successfully follow those steps, which chances are they will not all do, hence the need to be able to turn off the check in your XOOPS site.]
To turn off the referrer check, add a line to the function xoops_refcheck() in include/functions.php file, around line 137:
function xoops_refcheck($docheck=1)
{
[color=ff0000]return true;#*#DISABLE_REFERER_CHECK#[/color]
$ref = xoops_getenv('HTTP_REFERER');
if ($docheck == 0) {
return true;
}
if ($ref == '') {
return false;
}
if (strpos($ref, XOOPS_URL) !== 0 ) {
return false;
}
return true;
}
This information applies to XOOPS 2.0.7, and possibly earlier and later versions too. (Hopefully a system configuration option will be added in the future to turn this off without a hack).
Thanks to Mithrandir for this information, found in his post in the following thread:
https://xoops.org/modules/newbb/viewtopic.php?topic_id=25989
|
Author
Thread
Replies
Author
Published
Author
Thread
|
Re: this FAQ is too dangerous, isn't this?
Login
Search
Who's Online
Donat-O-Meter
| Stats | |
| Goal: | $100.00 |
| Due Date: | Jun 30 |
| Gross Amount: | $0.00 |
| Net Balance: | $0.00 |
| Left to go: | $100.00 |
 |
|
Did you know ?
Random question
Recent Q&A List
- How to minimize Spam...
- Is there any chance to connect...
- How to download files from XOOPS...
- I'm making a module/theme...
- How to properly configure your...
- How can i verify all of my files...
- I would like to know if...
- Can someone point me to the...
- Sense of XOOPS_TRUST_PATH
- I using the theme phpkaox, but...
Well, I'm not a professional. But, as far as I know, it is very risky to disable "referrer-check" because turning off the check makes the web sites more vulnerable to CSRF attacks.
function xoops_refcheck($docheck=1){
$ref = xoops_getenv('HTTP_REFERER');
if ($docheck == 0) {
return true;
}
if ($ref == '') {
[d]return false;[/d]//the very original
[b][color=ff0000]return [u]true[/u];[/color][/b]//hacked code
}
if (strpos($ref, XOOPS_URL) !== 0 ) {
return false;
}
return true;
}
Instead, the code above is rather safer than the one on FAQ. Bear in mind, ALL the webmaster MUST turn on "referrer" so as to protect your site.
Last but not least, all the thanks goes to GIJOE since this hack is originally introduced by him.
EDITED:
Well...the original code returns "FALSE" when referrer information is empty. On the other hand, the hacked code returns "TRUE". As a result, it disables referrer-check for those who doesn't send referrer.
So this hack in introduced for the convenience of USERS who don't know what referrer is and what their firewall does.