ekc
asked on
Safe redirection
I have a problem that sounds very common in a web development nowadays, and suppose there is a common solution...
There are two WEB sites: A and B.
The user will log in on the site A. After this, the site A should somehow redirect the user's browser to site B letting him navigate this second site. The redirecting link should contain some parameters (like user ID). The user shouldn't ever be able to enter the site B directly, since the autentification information resides on the site A.
A solution which crossed my mind was to use https both to return redirection info (with user ID parameter) from the site A to the user, and later from browser to connect to site B.
Is there any "common solution" to this problem?
Thank you.
There are two WEB sites: A and B.
The user will log in on the site A. After this, the site A should somehow redirect the user's browser to site B letting him navigate this second site. The redirecting link should contain some parameters (like user ID). The user shouldn't ever be able to enter the site B directly, since the autentification information resides on the site A.
A solution which crossed my mind was to use https both to return redirection info (with user ID parameter) from the site A to the user, and later from browser to connect to site B.
Is there any "common solution" to this problem?
Thank you.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The page to which you are redirecting on Site B can also have a following check...
If Request.ServerVariables("H
'invalid login...
'Redirect back to site a...
End If
'Usual site b code...
http_referer will give name of the previous page, that should match with the name of page you redirecting from.
If Request.ServerVariables("H
'invalid login...
'Redirect back to site a...
End If
'Usual site b code...
http_referer will give name of the previous page, that should match with the name of page you redirecting from.
As for encryption, that is good. you can also get it out of the querystring by adding headers to the file in asp and transferring the user in secure mode.
davlun
davlun
ASKER
Thank you all.
And what about https?
Is it possible do it using https and without encrypting?
Or to combine those two?
Timesptamp is not very reliable, since there are two servers in the game and you never know...
And what about https?
Is it possible do it using https and without encrypting?
Or to combine those two?
Timesptamp is not very reliable, since there are two servers in the game and you never know...
Yes, you can send the info to the other server in a form or in the query string, in secure mode. Or you can add headers with the values needed and transfer that way in secure mode as well (I have never done it this way personally, but do believe it is done on many sites).
https?
The answer is surely no - if the key is in the querystring from the first site to the second, encryption is the only way to go.
The answer is surely no - if the key is in the querystring from the first site to the second, encryption is the only way to go.
ASKER
Ok. Thank you once more.
This time, englishman gets the points, I'll try this his way.
This time, englishman gets the points, I'll try this his way.
The page you redirect to on site B would read in the value of 'logged' and if true set session variable by same name to true. Then add a little snippet on the top of each page that checks to see if the session variable 'logged' is true, else redirect back to site A.
Is this what you want (how people handle), or are you looking for code?
davlun