I have two C#.NET applications:
Application A
Application B
Application A will create a SQL GUID when the user first logs on
Whenever the user clicks on a link to go to Application B a new window opens
up and this GUID is passed to Application B via the URL.
Application B will verify that the GUID sent by Application A exist in the
database. If it does, then it will continue on it marry way.
My problem:
I want to verify that the application sending the GUID to Application B is
indeed Application A and not some other application. In the past I’ve done by
having the application name as a string parameter in the process that creates
the GUID in Application A.
The problem is that because I’m relying on the user to tell me they are
Application A when creating the token, they could easily claim to be
something else and I couldn’t stop the request to Application B.
I tried using HTTP_REFERER so that I could check headers to see if the same
application that created the GUID is the same application using the GUID. And
it also allows me to not rely on the user to tell me the truth. This works
wonderful as long as your using HTTP. Once your behind HTTPS, its not
available.
Is there an alternative way to find out the referring URL or some other
piece of information when a request comes in that could identify the calling
application that works with both HTTP(S)? Host IP address doesnt work either
if they are behind a proxy. Many say the HTTP_REFERER can be spoofed; that
may be true, but it’s far better than asking the users to be truthful when
sending it as a parameter.
For theoretical example:
I developed
http://www.yahoo.com and I say only
http://msdn.microsoft.com is
allowed to view content. If a .NET web page attempts to open yahoo.com I want
to look and make sure its msdn.microsoft.com and not another URL.
--
JP
..NET Software Developer
