Solved

ASP.NET - what was the previous page (referrer)?

Posted on 2004-04-08
4
433 Views
Last Modified: 2008-02-01
I have an ecommerce app in ASP.NET which goes off to a secure site to take credit card details. The secure site sends the user back to one of my pages if the details are entered successfully, and that page converts the shopping cart into a firm order.

I don't want anyone simply entering the URL of that page, as it would try to create the order without the user first having supplied card details. One way would be to detect whether the previous page was the secure site or not. It if it was, I proceed, if not, I redirect them to the checkout page or an error page.

Is this a good approach? How do I do it?
0
Comment
Question by:crescendo
  • 2
4 Comments
 
LVL 12

Accepted Solution

by:
dfiala13 earned 500 total points
ID: 10782581
That's one way to do it. There are not a lot of great options when you send off your user to another site.

Does your payment vendor send you back any token in the redirect that indicates who the user was?

But back to your question...

Yes, you can check the Request.UrlReferrer value in your pageload and if you don't like the URL redirect to another page.

if Request.UrlReferrer <> "Https://blablah.com" then
       Response.Redirect = "another Url"
End if

Note this can be a bit of a trial and error approach if you look for an exact page in the URL.

The other option, is to add a session variable that indicates you sent the user of to the payment site.  Check for the presence of the variable when the page is accessed.  If not there, redirect as above.
0
 
LVL 7

Expert Comment

by:ScrptMasta
ID: 10785383
I'm with the above comments as it pertains to loading up a session variable. However this isn't going to work if there are 2 web sites involved as each different site will setup a new session. Session variables are private to the app and we have two apps here.

I would suggest having a hidden label on the form that comes up after the secure page sends the user back. Then send an the url referrer and if it matches what the hidden label equals then, yada,yada.....
0
 
LVL 9

Author Comment

by:crescendo
ID: 10785494
Hi

The remote site isn't under my control and just redirects back to a page I specify. I could include stuff in the URL, but I'm looking for ways to avoid the possibility of the user keying in or bookmarking the URL, so that wouldn't help too much.

The UrlReferrer code shown by difiala13 does the trick, so he gets the coconut. And I'm now thinking of ditching the external site and writing something myself!

Thanks

0
 
LVL 12

Expert Comment

by:dfiala13
ID: 10828045
BTW,
If you can dynamically have them include somthing in the return URL to your site, I'd create a unique token (GUID is easy) and have the pay site  include it in the return URL and store it in a session var on your site.  When the return call comes and you are happy with the referer check that the GUID supplied by the pay site matches the GUID in session.  You can kill the token after the first successful match or it will die when the session expires.

Dim g as Guid = new Guid()

Session("PayToken") = g

Send off to Pay site with intructions to return g in the URL.

if Request.UrlReferrer = "Https://blablah.com" then
    gRecd = CType(Request.QueryString("g"), Guid)
    gToken = CType(Session("PayToken"), Guid)
   if gRecd <> gToken then
        Response.Redirect = "another Url"
   End if
  Else
       Response.Redirect = "another Url"
End if
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Suggested Solutions

Hello, all! I just recently started using Microsoft's IIS 7.5 within Windows 7, as I just downloaded and installed the 90 day trial of Windows 7. (Got to love Microsoft for allowing 90 days) The main reason for downloading and testing Windows 7 is t…
I would like to start this tip/trick by saying Thank You, to all who said that this could not be done, as it forced me to make sure that it could be accomplished. :) To start, I want to make sure everyone understands the importance of utilizing p…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now