Server Variables Question

[Rob]

I have a simple piece of code which is being difficult.
I have a web page (in classic asp) that will redirect to a login page if
they didn't come from that page.

Which means that they have to access my page via the login page.

The login page...which is done in asp.net and resides on a server will
be directed to a default page once logged in. On this default
page...there's a link to access my page which is on another server and
done in classic asp.
On my page I test to see if they came from the default page.
This is my code:
If request.servervariables("HTTP_REFERER") <>
"http://www.thedefaultpage.com" then
response.redirect "http://www.theloginpage.com"
end if

When I do a response.write request.servervariables("HTTP_REFERER") it
show up empty. Is there an issue with using server variables from an
aspx page to an asp page?

Thanks
Rob

 

[Juan T. Llibre]

Shouldn't that be :

If request.servervariables("HTTP_REFERER") <>
"http://www.yourserver.com/thedefaultpage.asp" then
response.redirect "http://www.yourserver.com/loginpage.aspx"
end if

???


Juan T. Llibre
ASP.NET MVP
===========

 

[Rob]

Ya, I tried that and I tried just the domain and neither of them worked.
I wasn't sure exactly what path would be returned so I tried to display
it on the page and it's an empty string.

Rob

 

[Juan T. Llibre]

You do realize, Rob, that if clients have bookmarked
any .aspx page in your asp.net server ( *not* on the
..asp server ) that HTTP_REFERER will be empty,
don't you ?

That would mean that the client wasn't referred from
your .asp page, yet they'd be allowed to view your
..aspx page without being re-directed.




Juan T. Llibre
ASP.NET MVP
===========

 

[bruce barker]

also a lot of proxy server strip the HTTP_REFERER header

-- bruce (sqlwork.com)

| You do realize, Rob, that if clients have bookmarked
| any .aspx page in your asp.net server ( *not* on the
| .asp server ) that HTTP_REFERER will be empty,
| don't you ?
|
| That would mean that the client wasn't referred from
| your .asp page, yet they'd be allowed to view your
| .aspx page without being re-directed.
|
|
|
|
| Juan T. Llibre
| ASP.NET MVP
| ===========
| | >
| > Ya, I tried that and I tried just the domain and neither of them worked.
| > I wasn't sure exactly what path would be returned so I tried to display
| > it on the page and it's an empty string.
| >
| > Rob
|
|

 

[Rob]

Actually it's the other way around. They login to the aspx page and when
the click on the link on the default page, they go to my asp page.
They're also passing a querystring parameter on that link and I check
for that too.

I realize the bookmark issue and I'm checking to see if the querystring
is empty or if they were referred from the default page. That ensures
that they have to access my page through the login.aspx page.
I've ommited this part because I didn't think it was relevant. I just
can't see why it would show up as empty string when trying to retrieve
the value.

I did some testing on our own server and showing the value of
request.servervariables("HTTP_REFERER") was not a problem.

Thanks
Rob

 

[Rob]

Is there any way of configuring the proxy server to not do that?

Rob

 

[teknohippy]

Actually it's the other way around. They login to the aspx page and when
the click on the link on the default page, they go to my asp page.
They're also passing a querystring parameter on that link and I check
for that too.

I realize the bookmark issue and I'm checking to see if the querystring
is empty or if they were referred from the default page. That ensures
that they have to access my page through the login.aspx page.
I've ommited this part because I didn't think it was relevant. I just
can't see why it would show up as empty string when trying to retrieve
the value.

I did some testing on our own server and showing the value of
request.servervariables("HTTP_REFERER") was not a problem.

Thanks
Rob

Doesn't it also mean that with the correct faked referer details you
wouldn't have to log in?

I

 

[Rob]

Does anyone know a better way of doing this? The client just wanted 2
things...that the user comes from the login page and that the guid that
is passed to me matches a field in another database where we keep their
contact information.

Worse case scenario is that someone fake's the referer and has to
register for an event where he would have to pay online for this guy.

ROb

 

[Michael C#]

Sounds like you need to check two things here: 1) That they are coming from
the login page, and 2) That they have successfully logged in. If either one
of these criteria is false, they need to be sent back to the login page,
right?

I would think that once the user logs in successfully, you could store the
GUID in a session variable? Just perform a check on the first page that the
HTTP_REFERRER is correct and that they are logged in -- if so, set the
Session variable to the GUID on this page. On subsequent pages just check
that the Session variable exists and is set to the valid GUID (you can
either just check that the session variable actually exists, or for more
security check it's validity against the database).

That's how I'm understanding your question anyway... I wouldn't pass
confidential info. like a GUID via QueryString.

Thanks

 

[Rob]

Ya Michael, you're exactly right. However I'm limited in what I can do.
Our company is doing business with another company and they don't want
us to access their servers and this is the way they want us to handle
it. They want to pass us the guid and I'm to verify that on our database
(we have a duplicate database with all of their contact's information).
This is also done on a diferent server so the session variables wouldn't
work...unless we wrote the session variables to the database and
verified them from there.

I think they may have to bend a little if they want to secure the
application a little more.

Thanks for your help.

Rob

 

[Michael C#]

That verification protocol sounds like a prime candidate for a Web
Service... Until they implement that, it sounds like you have a Web
application that acceses their Website on the back end? Perhaps you could
somehow "hide" the interaction with their Website? i.e., Send the request
with the guid parameter behind the scenes, never allowing the end user to
see or modify them? There's really no way to secure an app that relies on
the integrity of the end user as the first line of security...

 

[Rob]

Thanks Michael,
I think I'll have to convince them to re-design it.

Rob