Clever Geek Handbook

Is it better to use HTTP REFERER for redirection or use some other method?

We are currently storing the HTTP_REFERER user so that we can redirect the user to the previous page they viewed before they logged in.

The Http Referer comes from the client and can be spoofed or empty. Is there a safer / more reliable way to deliver this user friendly?

+1


source to share


6 answers


Do you have sessions?

If so, you can track on the server side the pages they accessed in this session and send them back to the previous one.

(Caching can mess this up, but you can adjust the cache control header accordingly:



But it all seems more painful than winning. Is there any real problem with sending them back to a fake page if they're stupid enough to do so?

Paul.

+2


source


somehow works

history.go(-1);


is the only alternative i can think of (javascript)

+2


source


I usually submit it using the login form.

<form action="login" method="post">
<input type="hidden" name="url" value="... whatever the current url is ...">
<input type="text" name="username">
<input type="text" name="password">
</form>
0


source


Not that I know. But then are you suggesting that regular users will pretend that their Referent is just being redirected to the wrong place? It looks unlikely.

I'm worried about having to redirect users to where they came from without even asking them about it. I either have a preference option to decide whether to allow this or not (and where), or pre-request them for a redirect, having the option to deny the redirect.

If RoBorg expects you to offer login screens for different sites other than your own, and you want to keep the original site, then of course you can use the same form to submit the site they signed in to.

0


source


The referee probably works great for most users, although I think you will need to check the XSRF. What we do is that when someone gets into an area where they have to login, they are redirected to the login page with the URL where they were saved in the session.

Once they are logged in, they will be redirected to the previous URL.

Of course, this depends a lot on your authentication setup!

0


source


I have a function that uses several different methods to redirect depending on which path the user took to get to the login page.

The function I call after the user is logged in looks something like this:

Protected Sub doRedirect(ByVal sender As Object, ByVal e As System.EventArgs)
    If Not Request.QueryString("rtn") Is Nothing Then
        Response.Redirect(Request.QueryString("rtn").ToString)
    ElseIf Me.hidden_return.Value <> "" Then
        Response.Redirect(Me.hidden_return.Value)
    ElseIf Not Request.UrlReferrer Is Nothing AndAlso Request.UrlReferrer.Segments(Request.UrlReferrer.Segments.Length - 1) <> "login.aspx" Then
        Response.Redirect(Request.UrlReferrer.ToString)
    Else
        Response.Redirect("default.aspx")
    End If
End Sub

Obviously this can all be spoofed on the client side, but I don't care if they want to fool themselves.

0


source






More articles:


All Articles