How to retrieve referrer when using HTTPS

When I try to read the HTTP_REFERER server variable when the link is on a https page I get an an empty string. This question has been answered here before, but my experience is not consistent with the previous answer. Obviously some people are able to read the referer even when using ssl. Could be due to different configuration?

My environment is IIS6 on a Win 2003 server. I use a asp.net 2.0 web application for testing. It works perfectly when using http. (Request.ServerVariables["HTTP_REFERER"])

Appreciate any  suggestions or comments.
valoxAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

alexcohnCommented:
Let us first agree that looking at the HTTP referrer field is not reliable in two senses: it may easily be forged, and on the other hand it may be missing due to configuration on the client side. Specifically, browser may decide not to send this information to HTTPS hosts. This field should be used only as last resort, with conscious understanding of its limitations. Particularly, it should not be used to track the client's behavior within your application (e.g. whether c.aspx is reached from a.aspx or b.aspx). There are reliable techniques for that, generic or specific to .NET.

The only excusable case of using the HTTP referrer is when you publish your URL for external sites and want to understand which of these external links brought the browser to your "landing" page. In this situation, there is no justification for publishing an HTTPS URL. Anyway, the SSL session will not be inherited but created anew.

If it is important that even the first viewed page of your application is all trusted and runs as HTTPS, you can simply readdress the people who arrive to your HTTP landing page to the HTTPS trusted site. The referrer info will be gathered at the HTTP page, and you may generate a session object for the newcomer, and store the original referrer with other information in the session object.
0
mrcoffee365Commented:
valox -- I see this might be the follow-on to the discussion we were having in another forum.

In all of my testing, the Referer header field comes through fine through HTTPS.

However, I have found a case where it does not:  When an HTTPS page has a link explicitly to an HTTP page, the referer header value from the HTTPS page is not sent to the HTTP page.  That might be why you think you can't get the referer field, and I know that I can.  It's apparently for security reasons.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
alexcohnCommented:
mrcoffee365, the case you describe simply follows the HTTP spec:

{http://kb.mozillazine.org/Network.http.sendSecureXSiteReferrer} says: "The HTTP spec specifies that going from a secure (https) server to a non-secure (http) server should not result in a Referer header being sent, but does not define whether a Referer should be sent between two secure sites."
0
What were the top attacks of Q1 2018?

The Threat Lab team analyzes data from WatchGuard’s Firebox Feed, internal and partner threat intelligence, and a research honeynet, to provide insightful analysis about the top threats on the Internet. Check out our Q1 2018 report for smart, practical security advice today!

mrcoffee365Commented:
Yes -- that is indeed what I was describing.
0
mrcoffee365Commented:
If you need it, the actual HTTP RFC Security Considerations:
http://www.w3.org/Protocols/rfc2616/rfc2616-sec15.html
0
valoxAuthor Commented:
Right to the point. Thanks
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Development

From novice to tech pro — start learning today.