Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

ServerVariables("HTTP_REFERER") = null when using HTTP, but not on HTTPS

Posted on 2004-03-30
3
Medium Priority
?
1,429 Views
Last Modified: 2011-04-25
This is by far the oddest bug I've ever encountered.

Our site is used with both HTTP and HTTPS (where HTTPS is for users who log in). This means that HTTP is used as the default except on certain pages that need to be secure (like the cart/checkout).  Our setup for purchasing works in a simple way; each page that actually adds/modifies a product contains a Response.Redirect(url) at the end so the page is never seen by the browser.  On each of these pages however, we trap for outside requests/POSTs for security reasons.


now the fun part.

When using HTTP, the Request.ServerVariables("HTTP_REFERER") is null.  the HTTP_REFERER object is also not part of ALL_HTTP either.  The basic effect is that anyone not logged in now cannot order anything because the modifier page does not detect that the request is coming from a friendly page.

Here is the ALL_HTTP when using HTTP:
HTTP_CONNECTION:Keep-Alive
HTTP_ACCEPT:image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, application/x-shockwave-flash, */*
HTTP_ACCEPT_ENCODING:gzip, deflate
HTTP_ACCEPT_LANGUAGE:en-us
HTTP_COOKIE:ASPSESSIONIDCQATSTTA=GIOBCOCAPFPLBFJHPJLIFCJK; SID=985856788702504439920922680162
HTTP_HOST:www.baka.ca
HTTP_USER_AGENT:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.0.3705)


Switch to HTTPS, and the Request.ServerVariables("HTTP_REFERER") returns a proper value.  So anyone who logs in CAN order products because the request page is properly detected.

Here is the ALL_HTTP when using HTTPS:
HTTP_CONNECTION:Keep-Alive
HTTP_ACCEPT:image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, application/x-shockwave-flash, */*
HTTP_ACCEPT_ENCODING:gzip, deflate
HTTP_ACCEPT_LANGUAGE:en-us
HTTP_COOKIE:ASPSESSIONIDCQATSTTA=GIOBCOCAPFPLBFJHPJLIFCJK; SID=985856788702504439920922680162
HTTP_HOST:www.baka.ca
HTTP_REFERER:http://www.baka.ca/test/referer.asp?3%2F30%2F2004+12%3A36%3A38+PM
HTTP_USER_AGENT:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.0.3705)


You can view my test page at http://www.baka.ca/test/referer.asp
The page contains 2 links at the bottom that switch between HTTP and HTTPS.  The HTTP_REFERER is bold and in red so you can't miss it (done through code). I also removed a the PATH_TRANSLATED and APPL_PHYSICAL_PATH intentionally (through code).

The question is, What is causing this error/problem and/or How do I solve it?
0
Comment
Question by:zeroreality
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 37

Accepted Solution

by:
meverest earned 2000 total points
ID: 10720487
Hi.

the browser is what provides that variable, not the server.  it is a browser issue you have coem up against.

on that note, i suggest to you that you should NEVER use a browser supplied data to run your web applications because as a developer, you normally never have control over what the browser does or what data it supplies (or doesn't supply)

there's also a security concern that if you use the datya supplied by the client, then there's no ay to tell whether it is accurate, or properly constructed, or even that it is legitimate and not faked!

i suggest that you try another way to get around that referrer requirement - either by a session variable or maybe url semaphore or form field.  the latter two (of course) also have similar security concerns.

(by the way, the http_referer worked fine for me on both http and https at your demo page)

good luck,

Mike.


0
 
LVL 2

Author Comment

by:zeroreality
ID: 10720878
i didn't even think of that.
ive tested it from home now and you're right... no issues.  so it has to be some kind of issue from our machines at work.

thanx for the advice, ill take it to heart  :)
0
 
LVL 4

Expert Comment

by:ajaykerala
ID: 35463573
can i know if you managed to get http_refferal working from a https domain ?
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Logparser is the smartest tool I have ever used in parsing IIS log files and there are many interesting things I wanted to share with everyone one of the  real-world  scenario from my current project. Let's get started with  scenario - How do w…
Preparing an email is something we should all take special care with – especially when the email is for somebody you may not know very well. The pressures of everyday working life stacked with a hectic office environment can make this a real challen…
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question