HTTP_REFERER question

Discussion in 'ASP General' started by M Smith, Mar 22, 2005.

  1. M Smith

    M Smith Guest

    On our web site we allow our members access to features hosted by another
    web site. The way the other web site authenticates users is to check the
    value of the HTTP_REFERER. If it comes from our Login.asp page it lets them
    in. When our users login to go to the other site, they login on our site's
    Login.asp page. When they click submit, our LoginCheck.asp page validates
    them and does a response.redirect to the other site. In most cases the
    other site sees the HTTP_REFERER as Login.asp (I guess because the
    LoginCheck.asp is doing a redirect and HTTP_REFERER doesn't work with
    redirects). But in some case the other site is seeing nothing in the
    HTTP_REFERER. My question is why would there not be a value in the
    HTTP_REFERER object? If anyone can help I would appeciate it.
     
    M Smith, Mar 22, 2005
    #1
    1. Advertising

  2. M Smith

    Thomas Guest

    there are clients (webbrowsers) that do not sent HTTP_REFERER. some clients
    even allow you to change the referer value. doing an authentication based on
    http referer ist about the weakest security you can have. basically you
    could as well just put the link on your page without any login :)

    - thomas


    "M Smith" <> wrote in message
    news:...
    > On our web site we allow our members access to features hosted by another
    > web site. The way the other web site authenticates users is to check the
    > value of the HTTP_REFERER. If it comes from our Login.asp page it lets
    > them
    > in. When our users login to go to the other site, they login on our
    > site's
    > Login.asp page. When they click submit, our LoginCheck.asp page validates
    > them and does a response.redirect to the other site. In most cases the
    > other site sees the HTTP_REFERER as Login.asp (I guess because the
    > LoginCheck.asp is doing a redirect and HTTP_REFERER doesn't work with
    > redirects). But in some case the other site is seeing nothing in the
    > HTTP_REFERER. My question is why would there not be a value in the
    > HTTP_REFERER object? If anyone can help I would appeciate it.
    >
    >
     
    Thomas, Mar 22, 2005
    #2
    1. Advertising

  3. > redirects). But in some case the other site is seeing nothing in the
    > HTTP_REFERER. My question is why would there not be a value in the
    > HTTP_REFERER object?


    Because it is totally up to the browser to send it or not.
    http://www.aspfaq.com/2169
     
    Aaron [SQL Server MVP], Mar 22, 2005
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Elliot M. Rodriguez
    Replies:
    1
    Views:
    673
    bruce barker
    Feb 12, 2004
  2. SStory

    HTTP_REFERER blank

    SStory, Feb 27, 2004, in forum: ASP .Net
    Replies:
    1
    Views:
    2,434
    Eric Lawrence [MSFT]
    Feb 28, 2004
  3. =?Utf-8?B?cHBhdGVs?=

    Request.ServerVariables ("HTTP_REFERER") using https

    =?Utf-8?B?cHBhdGVs?=, Mar 2, 2004, in forum: ASP .Net
    Replies:
    1
    Views:
    3,616
    Eric Lawrence [MSFT]
    Mar 3, 2004
  4. Troy

    Hit redirection & HTTP_REFERER

    Troy, Jun 24, 2004, in forum: ASP .Net
    Replies:
    1
    Views:
    635
    Joerg Jooss
    Jun 26, 2004
  5. John

    Getting HTTP_REFERER value

    John, Oct 6, 2004, in forum: ASP .Net
    Replies:
    2
    Views:
    858
Loading...

Share This Page