Solved

How do I determine where a response.redirect came from?

Posted on 2009-04-10
10
317 Views
Last Modified: 2012-05-06
I have a web site that I use to redirect a member to another website via https.  Because I use a response.redirect there is no HTTP_Referer available for the receiving site to validate that the reqeust came from my site.  Have tried to add a Resposne.AppendHeader prior to the response.redirect with no joy.  What can I do to ensure the request came from my site?
if (ConfigurationManager.AppSettings["Mask"].ToString().ToLower() == "true")
                {
                sbURL.Append(encryptQueryString(_EDIPI));
                Response.AppendHeader ("ReserveHeader","navyreserve.navy.mil");
                Response.Redirect(sbURL.ToString());
                }
                else
                {
                sbURL.Append(_EDIPI);
                Response.AppendHeader("ReserveHeader", "navyreserve.navy.mil");
                Response.Redirect(sbURL.ToString());
                }

Open in new window

0
Comment
Question by:mbart
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
10 Comments
 
LVL 51

Expert Comment

by:ahoffmann
ID: 24125088
> What can I do to ensure the request came from my site?
add a query parameter to all of your links
0
 

Author Comment

by:mbart
ID: 24126508
Is this the same as the querystring?  I pass an encrypted id via a querystring, but the receiving site wants to be sure it came from my site and not just a cut and paste of the url.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 24131282
> .. ^wants to be sure it came from my site and not just a cut and paste of the url.
Could you explain how a link "comes from your site" differs from copying the same link in the URL bar?
0
Instantly Create Instructional Tutorials

Contextual Guidance at the moment of need helps your employees adopt to new software or processes instantly. Boost knowledge retention and employee engagement step-by-step with one easy solution.

 

Author Comment

by:mbart
ID: 24133028
When a hyperlink is clicked the HTTP_Referer reflects the URL of the requesting (referring) site.  When it  is a cut and past there is no HTPP_Referer. This is what is the crux of my problem as I don't want to use a link, as I want to use a popup window and not show the query string if at all possible.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 24145627
> When it  is a cut and past there is no HTPP_Referer.
and if the link was c&p and the referer added manually (proxy or whatever), how would you distinguish that?
The referer header is 101% unreliable.
0
 

Author Comment

by:mbart
ID: 24210786
I am well aware that the Http_referer is not reliable, but the question remains, is it possible to tell if the request came from my site vice someother place?
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 24223499
> .. is it possible ..
if you mean "reliable" when writing "possible", then the answer is no
otherwise the answer is sometimes yes by checking the Referer header
0
 

Author Comment

by:mbart
ID: 24224681
If no link is used ie; the request is generated from code, see code provided,  there is no Referer header which is why the question was posted in the beginning.  I have tried doing a add.header but that doesn't work as it doesn't show on my fully patched web front end.  Beginning to think there is no solution for this.  I am currently using a query string but that is not very reliable either.  Just looking for a way to determine the url the request is coming from.
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 500 total points
ID: 24224827
there're infinite tools which can perform a request, and most of them can use whaterver you like (and even what you cannot imagine:) as referer
So there is no reliable way to "determine the url the request is coming from".
0
 

Author Closing Comment

by:mbart
ID: 31568945
Thanks I will see what I can find, everything I have found so far says that a Microsoft patch has plugged the use of added headers.  But I will limp along with what I have.
0

Featured Post

Salesforce Made Easy to Use

On-screen guidance at the moment of need enables you & your employees to focus on the core, you can now boost your adoption rates swiftly and simply with one easy tool.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Change local server setting in php 6 116
WEB Farm 6 84
Why is my Splunk Web URL not working? 2 96
Can we or good to install Ap Struts patches even if we don't run Ap Struts 7 84
Using Quotation Marks in PHP This question (http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/Q_28217211.html) seems to come up a lot for developers who are new to PHP.  And it got me thinking, "How can we explain the rule…
Periodically we have to update or add SSL certificates for customers. Depending upon your hosting plan you may be responsible for the installation and/or key generation. In the wake of Heartbleed many sites were forced to re-key. We will concen…
Use Wufoo, an online form creation tool, to make powerful forms. Learn how to selectively show certain fields based on user input using rules to gather relevant information and data from your forms. The rules feature provides you with an opportunity…
Use Wufoo, an online form creation tool, to make powerful forms. Learn how to choose which pages of your form are visible to your users based on their inputs. The page rules feature provides you with an opportunity to create if:then statements for y…

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question