Re: [tlug] detect fake HTTP referrer

["Stephen J. Turnbull" <stephen@example.com>]

Nguyen Vu Hung writes:

 > > What exactly is the goal of getting accurate referral data here?

 > I want to know where I am linked from, at least.

Google will tell you that, I think.

 > And when an user trying access to my site, they should know that
 > the files they are going to download is hosted by aoclife, that means
 > the word "aoclife" should appear somewhere and the users
 > should be able to see it. I think it is ethic and my credit.

Unfortunately, that conflicts with the W3C's position on deeplinking,
see the references in http://en.wikipedia.org/wiki/Deep_linking.

If you just want the banner, and don't need reliable referral
information that bad, then you could do something like the following.

1.  Put the real file in /downloads/hidden/aoclife.zip.  (If necessary
    you can really hide the hidden directory using Apache access
    control.)  Also make a directory /downloads/chocolatechip.
2.  Make /downloads/aoclife.zip be a cgi (Apache configuration allows
    this).
3.  When serving GET /downloads/aoclife.zip, the CGI
    a.  generates a random string
    b.  touch'es /downloads/chocolatechip/<randomstring>
    c.  returns a Temporary Redirect HTTP status pointing to itself
        with query portion ?<randomstring>
    d.  cats your splash page (which doesn't have to say
        anything about an error).
4.  When serving GET /downloads/aoclife.zip?<randomstring>
    a.  if /downloads/chocolatechip/<randomstring> doesn't exist,
        return an error, or maybe /vmlinux. :^)
    b.  if it does exist, rm it, and
    c.  cat /downloads/hidden/aoclife to the requesting user.

For hints on generating randomstrings, you could look up uuidgen.