HTTP_REFERER problem 1

[trezlub]

I have a page that calls another page upon submitting a form (page1 and page2). Within the called page (page2), there is a line of logic to redirect back to the calling page, i.e.

<%
Response.Redirect 'page1.asp'
%>

I would then expect that the value within the HTTP_REFERER server variable would be equal to 'page2.asp'. Instead it seems to retain the value of the calling page (page1). Can anyone help me? I have looked this up on this site and though I found examples of where people had the same problem I did not find a solution.

 

[Genimuse]

Strange, then. I know that Server.Transfer, for example, doesn't change the URL to the new page (the browser never gets the request), but a simple POST should. I assume that the browser does, indeed, show &quot;page2.asp&quot; as the url.

I also have heard that secure sessions -- https -- automatically have their referrer cleared by the browser. Is this secure, by chance?

 

[Genimuse]

Sorry, I've got to crash. I did some searching and haven't found anything, so if it's not the server.transfer thing nor the https thing, I'm out of guesses.

Matthew

 

[trezlub]

yes it does show the correct URL. I am confused.

No I am not using https.

 

[JamesLean]

trezlub,
Let me try and explain the process:

- You open your browser and go to page1. The page is loaded with the form OK.
- When you click Submit, the browser requests page2 (remember at this point the Referer is page1).
- The server goes to get page2 and comes across the Response.Redirect so immediately stops processing page2 and goes and gets page1. This is the key! Because it got redirected (and remember this must come before any of the HTTP headers are output), nothing was ever output from page2 and the initial request for page2 has now in effect become a request for page1 (which originated from page1 itself!). That's why you see page1 in the Referer.

I hope that makes sense!

--James

 

[trezlub]

so what should I do then geezer?

 

[JamesLean]

Use vbkris suggestion and redirect to &quot;page1.asp?fail=true&quot;.

There is really nothing insecure about doing this as all the querystring value does is control whether to display your &quot;login failed - please try again&quot; message or not. The actual page functionality is not affected at all - a user still has to enter a correct username/password to get through.

The only thing a user could do to &quot;hack&quot; it is to delete the &quot;fail=true&quot; from the URL. Woohoo - they don't get the message! Hardly a major security breach. ;-)

--James

 

[codestorm]

Why not just response.flush some headers and html back to the browser before redirecting?

codestorm
Newbie Life Member.
Fire bad. Tree pretty. - Buffy
<insert witticism here>

 

[JamesLean]

Once any headers or HTML has been sent to the client you cannot redirect.

--James

 

[vbkris]

O.K here is a final go

it seems tath resposen.redirect is the problem, well to hell with ASP try javascript,

if login fails
response.redirect (&quot;error.html&quot

error.html:
<html>
<body onload=&quot;location.href='page1.asp'&quot;>
</body>
</html>

in page1.asp now try using the referer method, if it says error.html then bingo!!!!

Known is handfull, Unknown is worldfull

 

[JamesLean]

vbkris,
I agree that would work but it seems like a horribly messy way to do what is really quite a simple, often-utilised technique of using the querystring!
Not to mention the additional processing and server roundtrip it produces...

--James

 

[vbkris]

NOTE: my aim is to avoid query strings.
o.k,
but this may save some time

instead of going to error.php in page 2 itself something can be done

<body
<%
if condition_not_satisfied then
%>
onLoad=&quot;location.href='page1.asp'&quot;
<%
end if
%>
>

this will save that roundabout trip also.

Known is handfull, Unknown is worldfull

 

[Genimuse]

D'oh! That makes perfect sense, JamesLean! Good call!