Http Referer Validation

Question

User-728310147 posted

We are using Page Referer

like this

HttpContext.Current.Request.ServerVariables("HTTP_REFERER")

but this code working properly in IE only we need multi browser

Thanks in Advance

Maheswaran Sankarappan R

Answer 1

User-760709272 posted

Setting the referrer isn't mandatory, some browsers will do it and some won't (however I'm sure most do).  It is easily spoofed anyway, if I was checking for it I would deny the request if the referrer doesn't match my own site but if the referrer doesn't exist then do nothing.

Answer 2

User465171450 posted

This is something you can never rely on. Not all browsers will send this information, and even if they do, they don't do it all the time. You cannot rely on this to contain valid data.

Answer 3

User281315223 posted

I'm not sure what you are trying to accomplish, but its important to know that the UrlReferrer property of your Request object is notoriously unreliable and may not always be populated.

If you need a more reliable way to determine where your previous request came from, you might want to consider storing it prior to performing any navigation away from it (as it will only be populated if pages are changed through clicking an <a> tag) if that is possible. 

I think the only reliable methods of handling this would be to either temporarily store the value using the Session or pass the previous page in as a QueryString parameter : 

//Stores your current page within the Session 
Session["Referrer"] = System.IO.Path.GetFileName(Request.Url.AbsolutePath); 
Server.Transfer("PageB.aspx"); //This could be Response.Redirect()

or using the QueryString method : 

//Stores your current page as a QueryString parameter 
string pageName = System.IO.Path.GetFileName(Request.Url.AbsolutePath); 
Server.Transfer(string.Format("PageB.aspx?referrer={0}",pageName); //This could obviously be Response.Redirect()

Both of which you will be able to access within the Page_Load event of your PageB.aspx page as such : 

//Access from Session 
string referralUrl = Session["Referrer"].ToString(); 
//Access from QueryString 
string referralUrl = Request.QueryString["Referrer"].ToString();

So by navigating using the window.location.href property, you aren't going to be able to currently access the proper referer without storing it previously as seen below : 

//Stores your current page within the Session
Session["Referrer"] = System.IO.Path.GetFileName(Request.Url.AbsolutePath);

//Perform your Navigation
ScriptManager.RegisterStartupScript(this, GetType(), "msg", "<script>alert('Invalid Old Password');window.location.href='ChangePassword.aspx';</script>", false);

and then when you navigate to your ChangePassword.aspx page, you could simply check to see if the Session key exists and access the Referrer through there : 

string urlReferrer = "";

//Check the Request to see if a referrer is available
if(Request.UrlReferrer != null)
{
      //Use it here
      urlReferrer = Request.UrlReferrer;
}
//Otherwise check if it is stored in the Session
else if(Session["Referrer"] != null)
{
      //Use it here through S
      urlReferrer = Session["Referrer"];
}

//Continue with your logic here

Both of these approaches will require you to have some degree of control over navigating to your site or application.