My concerns are only peripherally related to security issues (eg, http://support.microsoft.com/kb/178066
) which I am not interested in in this case. I am not going from an https to http page, or vice versa, and this is not a big security issue for me personally in this case. In this particular situation, I'm more concerned about etiquette, given my web visitors may not be very computer savvy. I just don't want them to view/share links that display garbage.
THE GOOD NEWS:
Chrome, FF, and Opera handle the below code fine (which lives on page staff.asp), even when the browser agent is directed here (to staff.asp) by scripts on next.asp and previous.asp. The scripts on next.asp and previous.asp use a similar switch case using document.location for each case in order to change the postback URL vars:
var refPath = document.referrer;
refPath = refPath.substring(refPath.lastIndexOf('/')+1);
location.href = "staff-list.asp";
This is a huge problem for IE, even though it works fine in FF, Chrome, and Opera, because in IE, the referrer header is empty when a user agent arrives at a page from another page, if it did not get there via a link that was clicked (that's my understanding, anyhow).
Note that unlike next.asp and previous.asp, the full listing at staff-list.asp fortunately directs the browser agent to the page staff.asp, via a list of clickable links (on staff-list.asp), and so staff.asp works fine in all browsers, including IE when arriving on staff.asp from staff-list.asp.
Shall I provide the convenient check of referrer only for non-IE browsers (and present ugly junk only to those who venture to this page in IE, and without appropriate variables in the URL)?
Or is there some programmatic way to provide this redirection and changes to the URL variables, without spoofing the referrer, and without getting too complex.
I could encode the URL of next.asp and previous.asp for post back along with other variables, and then change the switch/case statement on staff.asp to look for this instead of referrer, but that just sounds crazy to me.
Cookies are a huge overkill on this, and imposition to clients, just to browse a directory of staff. Must I resort to session variables? I'm actually on the verge of considering AJAX (which I have NEVER used before). I've heard that MooTools makes XMLHttpRequest much easier?
Is there a more elegant way?
REFERENCE: (OVERALL FLOW)
(1) staff-list.asp contains hard coded links like: staff.asp?empCode=egoMania
(2) staff.asp checks the referrer and does a bunch of stuff on the page, based on the URL vars
(3) while on staff.asp, users can click next or previous which go to next.asp or previous.asp
(4) Next.asp and Previous.asp just use a switch statement to redirect back to staff.asp with new variables