RE: HTTPS redirections


Like Jason said this can be done by using http header information - referer field.

By javascript for example you can access referer and depending on referer send a visitor to a page(site) you prefer.

Here is an example how to access referer field by javascript


-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of Jason Ross
Sent: Saturday, August 25, 2007 12:13 AM
To: anthony@xxxxxxxxxxxx
Cc: security-basics@xxxxxxxxxxxxxxxxx
Subject: Re: HTTPS redirections

On 8/24/07, anthony@xxxxxxxxxxxx <anthony@xxxxxxxxxxxx> wrote:
I have noticed how some websites only allow access to a particular
page if a link within the page has been 'clicked' ie. user cannot
paste link address in browser bar to get to desired page.
For security purposes I would like to create a script and achieve
similar results.

I believe that (at least one way) this is done is by checking the
referer header. In PHP this can be accessed via the predefined
variable: $_SERVER['HTTP_REFERER'], other languages should have
similar methods of obtaining this.

AFAIK, there is not a difference between HTTP and HTTPS as far as
this method is concerned.


Relevant Pages

  • Re: HTTP Referrer header
    ... Secondly, the referer is one of the HTTP *request* headers, but http-equiv ...
  • URL-Rewriting, referer and https
    ... Our site is using URL rewriting for session tracking. ... security we also check referer to be our own ... Browser does not send referer header when user clicks on ... http URL from an https page and this is breaking our referer check. ...
  • Re: Tomcat 6 / Apache 2.2 integration problem (no images / tomcat deploys to temp dir)
    ... http status on apache httpd, 403 or 404 or something else?. ... If is not a 400 or 500 error, check the mime type. ... images/blank.gif, referer: http://localhost/sw-builder/login.jsp ...
  • Re: HTTP_ REFERER is empty for popup window
    ... > You're in trouble because HTTP_ REFERER doesn't have to be filled in ... > and a lot of proxy servers and I think some software firewalls strip ... > out the HTTP_ REFERER values. ...
  • Re: Getting the referer info into a form field?
    ... conditionally stored the referer in a Cookie, only if the referer was not ... and if the Cookie did not exist already (which would ... JavaScript alone, though, nice thinking - yes, a Cookie would be the way to ... >> Kevin Spencer ...