Answered by:
Http Referer Validation

Question
-
User-728310147 posted
We are using Page Referer
like this
HttpContext.Current.Request.ServerVariables("HTTP_REFERER")
but this code working properly in IE only we need multi browser
Thanks in Advance
Maheswaran Sankarappan R
Thursday, January 9, 2014 1:51 AM
Answers
-
User281315223 posted
I'm not sure what you are trying to accomplish, but its important to know that the UrlReferrer property of your Request object is notoriously unreliable and may not always be populated.
If you need a more reliable way to determine where your previous request came from, you might want to consider storing it prior to performing any navigation away from it (as it will only be populated if pages are changed through clicking an <a> tag) if that is possible.
I think the only reliable methods of handling this would be to either temporarily store the value using the Session or pass the previous page in as a QueryString parameter :
//Stores your current page within the Session
Session["Referrer"] = System.IO.Path.GetFileName(Request.Url.AbsolutePath);
Server.Transfer("PageB.aspx"); //This could be Response.Redirect()or using the QueryString method :
//Stores your current page as a QueryString parameter
string pageName = System.IO.Path.GetFileName(Request.Url.AbsolutePath);
Server.Transfer(string.Format("PageB.aspx?referrer={0}",pageName); //This could obviously be Response.Redirect()Both of which you will be able to access within the Page_Load event of your PageB.aspx page as such :
//Access from Session
string referralUrl = Session["Referrer"].ToString();
//Access from QueryString
string referralUrl = Request.QueryString["Referrer"].ToString();So by navigating using the window.location.href property, you aren't going to be able to currently access the proper referer without storing it previously as seen below :
//Stores your current page within the Session Session["Referrer"] = System.IO.Path.GetFileName(Request.Url.AbsolutePath); //Perform your Navigation ScriptManager.RegisterStartupScript(this, GetType(), "msg", "<script>alert('Invalid Old Password');window.location.href='ChangePassword.aspx';</script>", false);
and then when you navigate to your ChangePassword.aspx page, you could simply check to see if the Session key exists and access the Referrer through there :
string urlReferrer = ""; //Check the Request to see if a referrer is available if(Request.UrlReferrer != null) { //Use it here urlReferrer = Request.UrlReferrer; } //Otherwise check if it is stored in the Session else if(Session["Referrer"] != null) { //Use it here through S urlReferrer = Session["Referrer"]; } //Continue with your logic here
Both of these approaches will require you to have some degree of control over navigating to your site or application.
- Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
Thursday, January 9, 2014 6:12 PM
All replies
-
User-760709272 posted
Setting the referrer isn't mandatory, some browsers will do it and some won't (however I'm sure most do). It is easily spoofed anyway, if I was checking for it I would deny the request if the referrer doesn't match my own site but if the referrer doesn't exist then do nothing.
Thursday, January 9, 2014 4:33 AM -
User465171450 posted
This is something you can never rely on. Not all browsers will send this information, and even if they do, they don't do it all the time. You cannot rely on this to contain valid data.
Thursday, January 9, 2014 5:55 PM -
User281315223 posted
I'm not sure what you are trying to accomplish, but its important to know that the UrlReferrer property of your Request object is notoriously unreliable and may not always be populated.
If you need a more reliable way to determine where your previous request came from, you might want to consider storing it prior to performing any navigation away from it (as it will only be populated if pages are changed through clicking an <a> tag) if that is possible.
I think the only reliable methods of handling this would be to either temporarily store the value using the Session or pass the previous page in as a QueryString parameter :
//Stores your current page within the Session
Session["Referrer"] = System.IO.Path.GetFileName(Request.Url.AbsolutePath);
Server.Transfer("PageB.aspx"); //This could be Response.Redirect()or using the QueryString method :
//Stores your current page as a QueryString parameter
string pageName = System.IO.Path.GetFileName(Request.Url.AbsolutePath);
Server.Transfer(string.Format("PageB.aspx?referrer={0}",pageName); //This could obviously be Response.Redirect()Both of which you will be able to access within the Page_Load event of your PageB.aspx page as such :
//Access from Session
string referralUrl = Session["Referrer"].ToString();
//Access from QueryString
string referralUrl = Request.QueryString["Referrer"].ToString();So by navigating using the window.location.href property, you aren't going to be able to currently access the proper referer without storing it previously as seen below :
//Stores your current page within the Session Session["Referrer"] = System.IO.Path.GetFileName(Request.Url.AbsolutePath); //Perform your Navigation ScriptManager.RegisterStartupScript(this, GetType(), "msg", "<script>alert('Invalid Old Password');window.location.href='ChangePassword.aspx';</script>", false);
and then when you navigate to your ChangePassword.aspx page, you could simply check to see if the Session key exists and access the Referrer through there :
string urlReferrer = ""; //Check the Request to see if a referrer is available if(Request.UrlReferrer != null) { //Use it here urlReferrer = Request.UrlReferrer; } //Otherwise check if it is stored in the Session else if(Session["Referrer"] != null) { //Use it here through S urlReferrer = Session["Referrer"]; } //Continue with your logic here
Both of these approaches will require you to have some degree of control over navigating to your site or application.
- Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
Thursday, January 9, 2014 6:12 PM