locked
Http Referer Validation RRS feed

  • Question

  • User-728310147 posted

    We are using Page Referer

    like this

    HttpContext.Current.Request.ServerVariables("HTTP_REFERER")

    but this code working properly in IE only we need multi browser

    Thanks in Advance

    Maheswaran Sankarappan R

    Thursday, January 9, 2014 1:51 AM

Answers

  • User281315223 posted

    I'm not sure what you are trying to accomplish, but its important to know that the UrlReferrer property of your Request object is notoriously unreliable and may not always be populated.

    If you need a more reliable way to determine where your previous request came from, you might want to consider storing it prior to performing any navigation away from it (as it will only be populated if pages are changed through clicking an <a> tag) if that is possible. 

    I think the only reliable methods of handling this would be to either temporarily store the value using the Session or pass the previous page in as a QueryString parameter : 

    //Stores your current page within the Session 
    Session["Referrer"] = System.IO.Path.GetFileName(Request.Url.AbsolutePath);
    Server.Transfer("PageB.aspx"); //This could be Response.Redirect()

    or using the QueryString method : 

    //Stores your current page as a QueryString parameter 
    string pageName = System.IO.Path.GetFileName(Request.Url.AbsolutePath);
    Server.Transfer(string.Format("PageB.aspx?referrer={0}",pageName); //This could obviously be Response.Redirect()

    Both of which you will be able to access within the Page_Load event of your PageB.aspx page as such : 

    //Access from Session 
    string referralUrl = Session["Referrer"].ToString();
    //Access from QueryString
    string referralUrl = Request.QueryString["Referrer"].ToString();

    So by navigating using the window.location.href property, you aren't going to be able to currently access the proper referer without storing it previously as seen below : 

    //Stores your current page within the Session
    Session["Referrer"] = System.IO.Path.GetFileName(Request.Url.AbsolutePath);
    
    //Perform your Navigation
    ScriptManager.RegisterStartupScript(this, GetType(), "msg", "<script>alert('Invalid Old Password');window.location.href='ChangePassword.aspx';</script>", false);

    and then when you navigate to your ChangePassword.aspx page, you could simply check to see if the Session key exists and access the Referrer through there : 

    string urlReferrer = "";
    
    //Check the Request to see if a referrer is available
    if(Request.UrlReferrer != null)
    {
          //Use it here
          urlReferrer = Request.UrlReferrer;
    }
    //Otherwise check if it is stored in the Session
    else if(Session["Referrer"] != null)
    {
          //Use it here through S
          urlReferrer = Session["Referrer"];
    }
    
    //Continue with your logic here

    Both of these approaches will require you to have some degree of control over navigating to your site or application.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, January 9, 2014 6:12 PM

All replies

  • User-760709272 posted

    Setting the referrer isn't mandatory, some browsers will do it and some won't (however I'm sure most do).  It is easily spoofed anyway, if I was checking for it I would deny the request if the referrer doesn't match my own site but if the referrer doesn't exist then do nothing.

    Thursday, January 9, 2014 4:33 AM
  • User465171450 posted

    This is something you can never rely on. Not all browsers will send this information, and even if they do, they don't do it all the time. You cannot rely on this to contain valid data.

    Thursday, January 9, 2014 5:55 PM
  • User281315223 posted

    I'm not sure what you are trying to accomplish, but its important to know that the UrlReferrer property of your Request object is notoriously unreliable and may not always be populated.

    If you need a more reliable way to determine where your previous request came from, you might want to consider storing it prior to performing any navigation away from it (as it will only be populated if pages are changed through clicking an <a> tag) if that is possible. 

    I think the only reliable methods of handling this would be to either temporarily store the value using the Session or pass the previous page in as a QueryString parameter : 

    //Stores your current page within the Session 
    Session["Referrer"] = System.IO.Path.GetFileName(Request.Url.AbsolutePath);
    Server.Transfer("PageB.aspx"); //This could be Response.Redirect()

    or using the QueryString method : 

    //Stores your current page as a QueryString parameter 
    string pageName = System.IO.Path.GetFileName(Request.Url.AbsolutePath);
    Server.Transfer(string.Format("PageB.aspx?referrer={0}",pageName); //This could obviously be Response.Redirect()

    Both of which you will be able to access within the Page_Load event of your PageB.aspx page as such : 

    //Access from Session 
    string referralUrl = Session["Referrer"].ToString();
    //Access from QueryString
    string referralUrl = Request.QueryString["Referrer"].ToString();

    So by navigating using the window.location.href property, you aren't going to be able to currently access the proper referer without storing it previously as seen below : 

    //Stores your current page within the Session
    Session["Referrer"] = System.IO.Path.GetFileName(Request.Url.AbsolutePath);
    
    //Perform your Navigation
    ScriptManager.RegisterStartupScript(this, GetType(), "msg", "<script>alert('Invalid Old Password');window.location.href='ChangePassword.aspx';</script>", false);

    and then when you navigate to your ChangePassword.aspx page, you could simply check to see if the Session key exists and access the Referrer through there : 

    string urlReferrer = "";
    
    //Check the Request to see if a referrer is available
    if(Request.UrlReferrer != null)
    {
          //Use it here
          urlReferrer = Request.UrlReferrer;
    }
    //Otherwise check if it is stored in the Session
    else if(Session["Referrer"] != null)
    {
          //Use it here through S
          urlReferrer = Session["Referrer"];
    }
    
    //Continue with your logic here

    Both of these approaches will require you to have some degree of control over navigating to your site or application.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, January 9, 2014 6:12 PM