473,326 Members | 2,255 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,326 software developers and data experts.

Server Variables Question

Rob

I have a simple piece of code which is being difficult.
I have a web page (in classic asp) that will redirect to a login page if
they didn't come from that page.

Which means that they have to access my page via the login page.

The login page...which is done in asp.net and resides on a server will
be directed to a default page once logged in. On this default
page...there's a link to access my page which is on another server and
done in classic asp.
On my page I test to see if they came from the default page.
This is my code:
If request.servervariables("HTTP_REFERER") <>
"http://www.thedefaultpage.com" then
response.redirect "http://www.theloginpage.com"
end if

When I do a response.write request.servervariables("HTTP_REFERER") it
show up empty. Is there an issue with using server variables from an
aspx page to an asp page?

Thanks
Rob
*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!
Nov 19 '05 #1
12 1400
Shouldn't that be :

If request.servervariables("HTTP_REFERER") <>
"http://www.yourserver.com/thedefaultpage.asp" then
response.redirect "http://www.yourserver.com/loginpage.aspx"
end if

???
Juan T. Llibre
ASP.NET MVP
===========
"Rob" <ro****@hotmail.com> wrote in message
news:ea**************@TK2MSFTNGP15.phx.gbl...

I have a simple piece of code which is being difficult.
I have a web page (in classic asp) that will redirect to a login page if
they didn't come from that page.

Which means that they have to access my page via the login page.

The login page...which is done in asp.net and resides on a server will
be directed to a default page once logged in. On this default
page...there's a link to access my page which is on another server and
done in classic asp.
On my page I test to see if they came from the default page.
This is my code:
If request.servervariables("HTTP_REFERER") <>
"http://www.thedefaultpage.com" then
response.redirect "http://www.theloginpage.com"
end if

When I do a response.write request.servervariables("HTTP_REFERER") it
show up empty. Is there an issue with using server variables from an
aspx page to an asp page?

Thanks
Rob
*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!

Nov 19 '05 #2
Rob

Ya, I tried that and I tried just the domain and neither of them worked.
I wasn't sure exactly what path would be returned so I tried to display
it on the page and it's an empty string.

Rob
*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!
Nov 19 '05 #3
You do realize, Rob, that if clients have bookmarked
any .aspx page in your asp.net server ( *not* on the
..asp server ) that HTTP_REFERER will be empty,
don't you ?

That would mean that the client wasn't referred from
your .asp page, yet they'd be allowed to view your
..aspx page without being re-directed.


Juan T. Llibre
ASP.NET MVP
===========
"Rob" <ro****@hotmail.com> wrote in message
news:Ov**************@TK2MSFTNGP12.phx.gbl...

Ya, I tried that and I tried just the domain and neither of them worked.
I wasn't sure exactly what path would be returned so I tried to display
it on the page and it's an empty string.

Rob

Nov 19 '05 #4
also a lot of proxy server strip the HTTP_REFERER header

-- bruce (sqlwork.com)

"Juan T. Llibre" <no***********@nowhere.com> wrote in message
news:Oh*************@TK2MSFTNGP09.phx.gbl...
| You do realize, Rob, that if clients have bookmarked
| any .aspx page in your asp.net server ( *not* on the
| .asp server ) that HTTP_REFERER will be empty,
| don't you ?
|
| That would mean that the client wasn't referred from
| your .asp page, yet they'd be allowed to view your
| .aspx page without being re-directed.
|
|
|
|
| Juan T. Llibre
| ASP.NET MVP
| ===========
| "Rob" <ro****@hotmail.com> wrote in message
| news:Ov**************@TK2MSFTNGP12.phx.gbl...
| >
| > Ya, I tried that and I tried just the domain and neither of them worked.
| > I wasn't sure exactly what path would be returned so I tried to display
| > it on the page and it's an empty string.
| >
| > Rob
|
|
Nov 19 '05 #5
Rob
Actually it's the other way around. They login to the aspx page and when
the click on the link on the default page, they go to my asp page.
They're also passing a querystring parameter on that link and I check
for that too.

I realize the bookmark issue and I'm checking to see if the querystring
is empty or if they were referred from the default page. That ensures
that they have to access my page through the login.aspx page.
I've ommited this part because I didn't think it was relevant. I just
can't see why it would show up as empty string when trying to retrieve
the value.

I did some testing on our own server and showing the value of
request.servervariables("HTTP_REFERER") was not a problem.

Thanks
Rob

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!
Nov 19 '05 #6
Rob
Is there any way of configuring the proxy server to not do that?

Rob

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!
Nov 19 '05 #7
On Wed, 26 Jan 2005 18:38:09 -0800, Rob <ro****@hotmail.com> wrote:
Actually it's the other way around. They login to the aspx page and when
the click on the link on the default page, they go to my asp page.
They're also passing a querystring parameter on that link and I check
for that too.

I realize the bookmark issue and I'm checking to see if the querystring
is empty or if they were referred from the default page. That ensures
that they have to access my page through the login.aspx page.
I've ommited this part because I didn't think it was relevant. I just
can't see why it would show up as empty string when trying to retrieve
the value.

I did some testing on our own server and showing the value of
request.servervariables("HTTP_REFERER") was not a problem.

Thanks
Rob

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!


Doesn't it also mean that with the correct faked referer details you
wouldn't have to log in?

I

--
Iain Norman | http://www.eliteforum.org
Nov 19 '05 #8
Rob
Does anyone know a better way of doing this? The client just wanted 2
things...that the user comes from the login page and that the guid that
is passed to me matches a field in another database where we keep their
contact information.

Worse case scenario is that someone fake's the referer and has to
register for an event where he would have to pay online for this guy.

ROb
*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!
Nov 19 '05 #9
Sounds like you need to check two things here: 1) That they are coming from
the login page, and 2) That they have successfully logged in. If either one
of these criteria is false, they need to be sent back to the login page,
right?

I would think that once the user logs in successfully, you could store the
GUID in a session variable? Just perform a check on the first page that the
HTTP_REFERRER is correct and that they are logged in -- if so, set the
Session variable to the GUID on this page. On subsequent pages just check
that the Session variable exists and is set to the valid GUID (you can
either just check that the session variable actually exists, or for more
security check it's validity against the database).

That's how I'm understanding your question anyway... I wouldn't pass
confidential info. like a GUID via QueryString.

Thanks

"Rob" <ro****@hotmail.com> wrote in message
news:OB**************@TK2MSFTNGP10.phx.gbl...
Does anyone know a better way of doing this? The client just wanted 2
things...that the user comes from the login page and that the guid that
is passed to me matches a field in another database where we keep their
contact information.

Worse case scenario is that someone fake's the referer and has to
register for an event where he would have to pay online for this guy.

ROb
*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!

Nov 19 '05 #10
Rob

Ya Michael, you're exactly right. However I'm limited in what I can do.
Our company is doing business with another company and they don't want
us to access their servers and this is the way they want us to handle
it. They want to pass us the guid and I'm to verify that on our database
(we have a duplicate database with all of their contact's information).
This is also done on a diferent server so the session variables wouldn't
work...unless we wrote the session variables to the database and
verified them from there.

I think they may have to bend a little if they want to secure the
application a little more.

Thanks for your help.

Rob
*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!
Nov 19 '05 #11
That verification protocol sounds like a prime candidate for a Web
Service... Until they implement that, it sounds like you have a Web
application that acceses their Website on the back end? Perhaps you could
somehow "hide" the interaction with their Website? i.e., Send the request
with the guid parameter behind the scenes, never allowing the end user to
see or modify them? There's really no way to secure an app that relies on
the integrity of the end user as the first line of security...

"Rob" <ro****@hotmail.com> wrote in message
news:ex**************@tk2msftngp13.phx.gbl...

Ya Michael, you're exactly right. However I'm limited in what I can do.
Our company is doing business with another company and they don't want
us to access their servers and this is the way they want us to handle
it. They want to pass us the guid and I'm to verify that on our database
(we have a duplicate database with all of their contact's information).
This is also done on a diferent server so the session variables wouldn't
work...unless we wrote the session variables to the database and
verified them from there.

I think they may have to bend a little if they want to secure the
application a little more.

Thanks for your help.

Rob
*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!

Nov 19 '05 #12
Rob
Thanks Michael,
I think I'll have to convince them to re-design it.

Rob

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!
Nov 19 '05 #13

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

7
by: Harold | last post by:
Hi, I have a question in SQL Server 2K, I use SQL Profile to trace, and find Stored Procedure was auto recompiled, like this row in the trace: SP:Recompile 15 1680 76 2004-02-27 16:01:11.610 ...
6
by: StephenMcC | last post by:
Hi All, Got a quick query in relation to the Server.Transfer method available in IIS 5+/ASP. I've got an issue where I want to take a portion of an online app and extract this out into a web...
5
by: Abhilash.k.m | last post by:
This is regarding the session management using Out of proc session management(SQL SERVER). Among the samples below which one is better to set the session? 1. There are 20 session...
10
by: tshad | last post by:
I have been using the default session state (InProc) and have found that I have been loosing my information after a period of time (normally 20 minutes). Is there anyway to find out how much...
0
by: Macca | last post by:
Hi, I am writing an asychronous socket server to handle 20+ simulataneous connections. I have used the example in MSDN as a base. The code is shown at end of question. Each connection has a...
5
by: wolfing1 | last post by:
I'm working on a shopping cart page. In page A (checkout) the user enters their credit card information. On postback, if everything is correct, it sends the user to page B (confirmation). My...
2
by: Jobs | last post by:
Download the JAVA , .NET and SQL Server interview with answers Download the JAVA , .NET and SQL Server interview sheet and rate yourself. This will help you judge yourself are you really worth of...
7
by: David | last post by:
i think i just realized i'm an idiot. again. (not syntactically correct code... just pieces to illustrate) class StateObject { members like socket, receiveBuffer, receiveBufferSize,...
11
by: Pirooz Javan | last post by:
Is there any way to deny a server variable to be run on a server such as LOCAL_ADDR? Thanks in advance. PJ
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
1
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
1
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.