Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Safe redirection

Posted on 2002-06-13
8
Medium Priority
?
294 Views
Last Modified: 2013-12-25
I have a problem that sounds very common in a web development nowadays, and suppose there is a common solution...
There are two WEB sites: A and B.
The user will log in on the site A. After this, the site A should somehow redirect the user's browser to site B letting him navigate this second site. The redirecting link should contain some parameters (like user ID). The user shouldn't ever be able to enter the site B directly, since the autentification information resides on the site A.

A solution which crossed my mind was to use https both to return redirection info (with user ID parameter) from the site A to the user, and later from browser to connect to site B.

Is there any "common solution" to this problem?
Thank you.
0
Comment
Question by:ekc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 3

Expert Comment

by:davlun20080
ID: 7076793
A common practice would be to redirect, passing foward the user name and password if needed, or perhaps a variable like 'logged=true' in the querystring.

The page you redirect to on site B would read in the value of 'logged' and if true set session variable by same name to true.  Then add a little snippet on the top of each page that checks to see if the session variable 'logged' is true, else redirect back to site A.

Is this what you want (how people handle), or are you looking for code?

davlun
0
 
LVL 2

Accepted Solution

by:
englishman earned 400 total points
ID: 7077960
Yes, stick something in the querystring - but I would do something like encrypt the date and stick that in - this way noone would be able to simple write a value in the url string and get in without picking up the value from site A.
0
 
LVL 10

Expert Comment

by:Nitin Sontakke
ID: 7078439
The page to which you are redirecting on Site B can also have a following check...


If Request.ServerVariables("HTTP_REFERER") <> "PageFromSiteA.asp" Then

    'invalid login...
    'Redirect back to site a...
End If

'Usual site b code...

http_referer will give name of the previous page, that should match with the name of page you redirecting from.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 3

Expert Comment

by:davlun20080
ID: 7078537
As for encryption, that is good.  you can also get it out of the querystring by adding headers to the file in asp and transferring the user in secure mode.

davlun
0
 
LVL 5

Author Comment

by:ekc
ID: 7079181
Thank you all.

And what about https?

Is it possible do it using https and without encrypting?
Or to combine those two?
Timesptamp is not very reliable, since there are two servers in the game and you never know...
0
 
LVL 3

Expert Comment

by:davlun20080
ID: 7080144
Yes, you can send the info to the other server in a form or in the query string, in secure mode.  Or you can add headers with the values needed and transfer that way in secure mode as well (I have never done it this way personally, but do believe it is done on many sites).

0
 
LVL 2

Expert Comment

by:englishman
ID: 7080807
https?
The answer is surely no - if the key is in the querystring from the first site to the second, encryption is the only way to go.
0
 
LVL 5

Author Comment

by:ekc
ID: 7083746
Ok. Thank you once more.
This time, englishman gets the points, I'll try this his way.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Although a lot of people devote their energy toward marketing for specific industries, there are some basic principles that can be applied to any sector imaginable. We’ll look at four steps to take and examine how those steps were put into action fo…
Dramatic changes are revolutionizing how we build and use technology. Every company is automating, digitizing, and modernizing operations. We need a better, more connected way to work together as teams so we can harness the insights from our system…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.
Suggested Courses

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question