• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 322
  • Last Modified:

How do I determine where a response.redirect came from?

I have a web site that I use to redirect a member to another website via https.  Because I use a response.redirect there is no HTTP_Referer available for the receiving site to validate that the reqeust came from my site.  Have tried to add a Resposne.AppendHeader prior to the response.redirect with no joy.  What can I do to ensure the request came from my site?
if (ConfigurationManager.AppSettings["Mask"].ToString().ToLower() == "true")
                {
                sbURL.Append(encryptQueryString(_EDIPI));
                Response.AppendHeader ("ReserveHeader","navyreserve.navy.mil");
                Response.Redirect(sbURL.ToString());
                }
                else
                {
                sbURL.Append(_EDIPI);
                Response.AppendHeader("ReserveHeader", "navyreserve.navy.mil");
                Response.Redirect(sbURL.ToString());
                }

Open in new window

0
mbart
Asked:
mbart
  • 5
  • 5
1 Solution
 
ahoffmannCommented:
> What can I do to ensure the request came from my site?
add a query parameter to all of your links
0
 
mbartAuthor Commented:
Is this the same as the querystring?  I pass an encrypted id via a querystring, but the receiving site wants to be sure it came from my site and not just a cut and paste of the url.
0
 
ahoffmannCommented:
> .. ^wants to be sure it came from my site and not just a cut and paste of the url.
Could you explain how a link "comes from your site" differs from copying the same link in the URL bar?
0
Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
mbartAuthor Commented:
When a hyperlink is clicked the HTTP_Referer reflects the URL of the requesting (referring) site.  When it  is a cut and past there is no HTPP_Referer. This is what is the crux of my problem as I don't want to use a link, as I want to use a popup window and not show the query string if at all possible.
0
 
ahoffmannCommented:
> When it  is a cut and past there is no HTPP_Referer.
and if the link was c&p and the referer added manually (proxy or whatever), how would you distinguish that?
The referer header is 101% unreliable.
0
 
mbartAuthor Commented:
I am well aware that the Http_referer is not reliable, but the question remains, is it possible to tell if the request came from my site vice someother place?
0
 
ahoffmannCommented:
> .. is it possible ..
if you mean "reliable" when writing "possible", then the answer is no
otherwise the answer is sometimes yes by checking the Referer header
0
 
mbartAuthor Commented:
If no link is used ie; the request is generated from code, see code provided,  there is no Referer header which is why the question was posted in the beginning.  I have tried doing a add.header but that doesn't work as it doesn't show on my fully patched web front end.  Beginning to think there is no solution for this.  I am currently using a query string but that is not very reliable either.  Just looking for a way to determine the url the request is coming from.
0
 
ahoffmannCommented:
there're infinite tools which can perform a request, and most of them can use whaterver you like (and even what you cannot imagine:) as referer
So there is no reliable way to "determine the url the request is coming from".
0
 
mbartAuthor Commented:
Thanks I will see what I can find, everything I have found so far says that a Microsoft patch has plugged the use of added headers.  But I will limp along with what I have.
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

  • 5
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now