How to retrieve referrer when using HTTPS

When I try to read the HTTP_REFERER server variable when the link is on a https page I get an an empty string. This question has been answered here before, but my experience is not consistent with the previous answer. Obviously some people are able to read the referer even when using ssl. Could be due to different configuration?

My environment is IIS6 on a Win 2003 server. I use a asp.net 2.0 web application for testing. It works perfectly when using http. (Request.ServerVariables["HTTP_REFERER"])

Appreciate any  suggestions or comments.
valoxAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
mrcoffee365Connect With a Mentor Commented:
valox -- I see this might be the follow-on to the discussion we were having in another forum.

In all of my testing, the Referer header field comes through fine through HTTPS.

However, I have found a case where it does not:  When an HTTPS page has a link explicitly to an HTTP page, the referer header value from the HTTPS page is not sent to the HTTP page.  That might be why you think you can't get the referer field, and I know that I can.  It's apparently for security reasons.
0
 
alexcohnCommented:
Let us first agree that looking at the HTTP referrer field is not reliable in two senses: it may easily be forged, and on the other hand it may be missing due to configuration on the client side. Specifically, browser may decide not to send this information to HTTPS hosts. This field should be used only as last resort, with conscious understanding of its limitations. Particularly, it should not be used to track the client's behavior within your application (e.g. whether c.aspx is reached from a.aspx or b.aspx). There are reliable techniques for that, generic or specific to .NET.

The only excusable case of using the HTTP referrer is when you publish your URL for external sites and want to understand which of these external links brought the browser to your "landing" page. In this situation, there is no justification for publishing an HTTPS URL. Anyway, the SSL session will not be inherited but created anew.

If it is important that even the first viewed page of your application is all trusted and runs as HTTPS, you can simply readdress the people who arrive to your HTTP landing page to the HTTPS trusted site. The referrer info will be gathered at the HTTP page, and you may generate a session object for the newcomer, and store the original referrer with other information in the session object.
0
 
alexcohnConnect With a Mentor Commented:
mrcoffee365, the case you describe simply follows the HTTP spec:

{http://kb.mozillazine.org/Network.http.sendSecureXSiteReferrer} says: "The HTTP spec specifies that going from a secure (https) server to a non-secure (http) server should not result in a Referer header being sent, but does not define whether a Referer should be sent between two secure sites."
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
mrcoffee365Commented:
Yes -- that is indeed what I was describing.
0
 
mrcoffee365Commented:
If you need it, the actual HTTP RFC Security Considerations:
http://www.w3.org/Protocols/rfc2616/rfc2616-sec15.html
0
 
valoxAuthor Commented:
Right to the point. Thanks
0
All Courses

From novice to tech pro — start learning today.