How To Check The Previous WeBsite URL You Came From


I have two Websites
Website A
WebSite B

I want to make sure that all visitors on Site B are coming from Website A.

How i can accomplish this in

LVL 16
Kamal KhaleefaInformation Security SpecialistAsked:
Who is Participating?
Dr. KlahnConnect With a Mentor Principal Software EngineerCommented:
  • Issue a referral URL on site A with a unique one-time referral code in the URI, e.g.
  • Require visitors to site B have a valid referral field in the URI.
  • Let referral fields be valid for, say, five minutes.
  • When a referral is used, validate the referral, issue a local cookie to permit access if it is valid, and always empty the used referral table (see next).
  • Put used referral fields in a local table as "expired".
  • Then visitors to site B must come from site A and the referral can only be used once.

This is a workaround to the HTTP "referer" field, which (a) can be spoofed and (b) is unreliable because many browsers now strip it for privacy reasons.
Lee SavidgeConnect With a Mentor Commented:
Julian HansenConnect With a Mentor Commented:
Remember this information can be spoofed so don't rely on this for any kind of access control.
Cloud Class® Course: Microsoft Exchange Server

The MCTS: Microsoft Exchange Server 2010 certification validates your skills in supporting the maintenance and administration of the Exchange servers in an enterprise environment. Learn everything you need to know with this course.

Dave BaldwinConnect With a Mentor Fixer of ProblemsCommented:
is unreliable because many browsers now strip it for privacy reasons.
I have to argue with that.  I use the 'HTTP_REFERER' daily in all browsers without a problem.  It may be blocked in 'In Private' browsing but not in regular use.
Dr. KlahnPrincipal Software EngineerCommented:
Dave, here is the background on that.  At my own site, on the average I see perhaps one referral logged for every 40 accesses to a .HTML file. And yet the accessors are going directly to the desired content, not to the home page, as evidenced again by the log.  This implies to me that they are being referred from somewhere, and yet there's no referral logged.

This article gives some illumination, as ...

According to the RFC 2616:

Clients SHOULD NOT include a Referrer header field in a (non-secure) HTTP request if the referral page was transferred with a secure protocol.

So blame it on the RFC.  Any site which uses HTTP by default, but gets referrals from sites using HTTPS by default, can expect, for the most part, nothing in the referral fields.  Most modern browsers comply with this, it appears, since I very, very seldom see referrals from Google or Bing -- and the few I do see appear to be from older browsers.

Dave BaldwinFixer of ProblemsCommented:
I'll have to check on that.  Most of the pages I was thinking of are HTTPS connections.  And come to think of it, where I thought 'we' should be getting 'referers' we aren't so maybe we'll have to change the links to 'https'.
Dr. KlahnPrincipal Software EngineerCommented:
EE email requested stale question closure.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.