mbart
asked on
How do I determine where a response.redirect came from?
I have a web site that I use to redirect a member to another website via https. Because I use a response.redirect there is no HTTP_Referer available for the receiving site to validate that the reqeust came from my site. Have tried to add a Resposne.AppendHeader prior to the response.redirect with no joy. What can I do to ensure the request came from my site?
if (ConfigurationManager.AppSettings["Mask"].ToString().ToLower() == "true")
{
sbURL.Append(encryptQueryString(_EDIPI));
Response.AppendHeader ("ReserveHeader","navyreserve.navy.mil");
Response.Redirect(sbURL.ToString());
}
else
{
sbURL.Append(_EDIPI);
Response.AppendHeader("ReserveHeader", "navyreserve.navy.mil");
Response.Redirect(sbURL.ToString());
}
ASKER
Is this the same as the querystring? I pass an encrypted id via a querystring, but the receiving site wants to be sure it came from my site and not just a cut and paste of the url.
> .. ^wants to be sure it came from my site and not just a cut and paste of the url.
Could you explain how a link "comes from your site" differs from copying the same link in the URL bar?
Could you explain how a link "comes from your site" differs from copying the same link in the URL bar?
ASKER
When a hyperlink is clicked the HTTP_Referer reflects the URL of the requesting (referring) site. When it is a cut and past there is no HTPP_Referer. This is what is the crux of my problem as I don't want to use a link, as I want to use a popup window and not show the query string if at all possible.
> When it is a cut and past there is no HTPP_Referer.
and if the link was c&p and the referer added manually (proxy or whatever), how would you distinguish that?
The referer header is 101% unreliable.
and if the link was c&p and the referer added manually (proxy or whatever), how would you distinguish that?
The referer header is 101% unreliable.
ASKER
I am well aware that the Http_referer is not reliable, but the question remains, is it possible to tell if the request came from my site vice someother place?
> .. is it possible ..
if you mean "reliable" when writing "possible", then the answer is no
otherwise the answer is sometimes yes by checking the Referer header
if you mean "reliable" when writing "possible", then the answer is no
otherwise the answer is sometimes yes by checking the Referer header
ASKER
If no link is used ie; the request is generated from code, see code provided, there is no Referer header which is why the question was posted in the beginning. I have tried doing a add.header but that doesn't work as it doesn't show on my fully patched web front end. Beginning to think there is no solution for this. I am currently using a query string but that is not very reliable either. Just looking for a way to determine the url the request is coming from.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks I will see what I can find, everything I have found so far says that a Microsoft patch has plugged the use of added headers. But I will limp along with what I have.
add a query parameter to all of your links