Request.ServerVariables ("HTTP_REFERER") is null

I had my web hosting people put a link on my page that should send visitors to another asp page.  I try to ensure that the second page is not accessed except through the first page by putting the following code in the second page:

<%
If (Request.ServerVariables ("HTTP_REFERER") <> "firstpage" Then    
     response.Redirect("firstpage")
End If
%>

The problem is that Request.ServerVariables ("HTTP_REFERER") is null even when I click on the link that was put on my first page.

SHould this be so?  If not what could be the problem?
desmondgAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
kevp75Connect With a Mentor Commented:
well.....the real problem is the fact that HTTP_REFERER is unreliable at best, so it doesn't matter what you do with it, there will always be a circumstance where this method will get you a incorrect value.

0
 
desmondgAuthor Commented:
Is there some workaround to ensure that the visitors go through the right channels?
0
 
kevp75Commented:
not unless you are sitting with the client at all times...
0
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

 
ddrudikConnect With a Mentor Commented:
In ASP code, set a session variable on the first page that is checked on the second page.
0
 
b0lsc0ttIT ManagerCommented:
Kevp75's comment that there is no great way to do this is basically correct.  Ddrudik provided one method that could work.  A similar one would be to use a cookie.  Have page 1 make a cookie and test for it at the start of page 2.  If the cookie doesn't exist with the value then redirect to page 1.  However, like with session variables, this depends on the browser and cookies being enabled.  You would have to decide how important this is and if it is worth requiring cookies and possibly not working for some visitors.

You can find info on making and reading cookies at http://www.w3schools.com/asp/asp_cookies.asp.  Let me know if you need more details.

Let me know if you have a question.

bol
0
 
vb_mctConnect With a Mentor Commented:
Actually, there is a great way to do this.

Pass a request variable in the link from the first page to the second page and trap it on the second page.
i.e.  <a href="secondpage.asp?referer=firstpage">Click Here</a>

On the second page:
<%  If Request("referer") <> "firstpage" Then Response.Redirect "firstpage"  %>

HTH,
Scott
0
 
desmondgAuthor Commented:
Thank you all for your comments.  
0
 
b0lsc0ttIT ManagerCommented:
Well it seems like I was the only one that didn't contribute anything earlier. ;-)   I will just make a quick observation of the URL suggestion to hopefully make up for that.  It is a good suggestion but it can easily be "fooled" by the visitor using the querystring in the URL to the second page.  Since it is the querystring it is pretty obvious and part of a bookmark if your second page is one that would be bookmarked.  That may not be a concern in this case but I thought it was worth mentioning.  It is a good suggestion though and I definitely don't mean to detract from it or the others. :)

bol
0
 
desmondgAuthor Commented:
b0lsc0tt,

You certainly contributed earlier except that I thought (perhaps wrongly) that the use of session variables and cookies are very similar, conceptually.

And thanks very much for your comment on the URL suggestion.  I had considered this myself and came to pretty much the same conclusions as you did.

One quick observation,  however.  I am using the http_referrer on other links in the 'chain' and it seems to me that it works consistently on all the links for which it actually works and fails consistently also.  In fact it fails only on the link on our home page hosted by an outside provider.  The other links in the chain are on our web server and it seems to work consistently there.

Could the failure be somehow due to the web server software and that perhaps if our hosting people would upgrade/change their software that may remedy the problem?  Just a thought...
0
 
desmondgAuthor Commented:
And another point.  How do people ensure that you log in to access their services rather than go directly to the services page?  I was told once, on this very forum that the http_referrer variable was used to ensure this.
0
 
b0lsc0ttIT ManagerCommented:
Thanks!  I'm glad to know I helped a bit. :)

>> the use of session variables and cookies are very similar, <<

True.  There is a difference but it is minor and I would usually use session variables over cookies.  Since session variables had already been suggested I just wanted to mention an alternative even if it is one I consider less appealing.

>> Could the failure be somehow due to the web server software and that perhaps if our hosting people would upgrade/change their software that may remedy the problem? <<

Most likely it is server related.  This might be intentional though and done for "security" reasons.  If that is the case then an upgrade won't fix it and the company won't change it.  It won't hurt to mention it and ask though.

bol
0
 
b0lsc0ttIT ManagerCommented:
>> How do people ensure that you log in to access their services rather than go directly to the services page? <<

It is a common way to do it but just not fool-proof.  If the page really requires authentication (i.e. some type of login) then that will prevent anyone from going to it without loggin in.  However in this case it is just a normal page.  You can use the server script methods mentioned to try to control when it is accessed but they rely on the server, the browser and/or the client's settings to work.

In this case the server is having a problem but the browser is also an important part of getting the referrer.  That can be spoofed or just not supported which would bypass the check or cause it to fail.  Cookies and even session variables depend on the browser and client settings so might not work.

If this is really part of a login then I would say it is more common to use session variables and cookies.  The referrer can be used and might even be important for a part of it but usually isn't the most important part.  If the browser or client settings make it so cookies or session variables don't work then at least they will fail and not be permitted access.  Basically you require those things.

I hope this helps.  Let me know if you have a question about something I said.  If you do have more follow up questions on this then open a new question and post the URL here to let us know.

bol
0
All Courses

From novice to tech pro — start learning today.