determine origin of request

  • Thread starter Thread starter John A Grandy
  • Start date Start date
J

John A Grandy

How to determine if a request originated from a link click , or otherwise
( such as pasting the url the browser ).

This would seem to work ...

if (Request.Url.Host == Request.UrlReferrer.Host)
{


But what if Request.UrlReferrer == null ... ?

Any other ideas ?
 
How to determine if a request originated from a link click , or otherwise
( such as pasting the url the browser ).

This would seem to work ...

if (Request.Url.Host == Request.UrlReferrer.Host)
{


But what if Request.UrlReferrer == null ... ?
Click to expand...

Request.UrlReferrer, aka Request.ServerVariables["HTTP_REFERER"] cannot be
relied upon at all...
http://www.google.co.uk/search?hl=en&rls=GGLG,GGLG:2006-28,GGLG:en&q="HTTP_REFERER"+reliable&meta=

Just like the IP address, it is so easy to spoof it
(http://www.datatrendsoftware.com/spoof.html), to the extent where the best
advice I can give you is simply not to try. Think about why you *REALLY*
need to know this information, and then work around it...
 
Hmmm ...

Ok. Well, for sites with a tracking page that writes some tracking data to
db and then redirects to the target url, what are other solutions to stop
hackers from manipulating the tracking data ?

Mark Rae said:
How to determine if a request originated from a link click , or otherwise
( such as pasting the url the browser ).

This would seem to work ...

if (Request.Url.Host == Request.UrlReferrer.Host)
{


But what if Request.UrlReferrer == null ... ?
Click to expand...

Request.UrlReferrer, aka Request.ServerVariables["HTTP_REFERER"] cannot be
relied upon at all...
http://www.google.co.uk/search?hl=en&rls=GGLG,GGLG:2006-28,GGLG:en&q="HTTP_REFERER"+reliable&meta=

Just like the IP address, it is so easy to spoof it
(http://www.datatrendsoftware.com/spoof.html), to the extent where the
best advice I can give you is simply not to try. Think about why you
*REALLY* need to know this information, and then work around it...
Click to expand...
 
Ok. Well, for sites with a tracking page that writes some tracking data to
db and then redirects to the target url,
Click to expand...

LOL! All that tells them is that the target URL has come from the tracking
page! The initial request to the tracking page could have come from
anywhere - don't you get it?
what are other solutions to stop hackers from manipulating the tracking
data ?
Click to expand...

None that I know of, and this is another of those occasions where I would
dearly *love* to be proven wrong...

I've seen all sorts of "smoke and mirrors" solutions involving encrypted
querystrings and God knows what - none of them works...
 
Guess I'm not as cynical as you.

I do see a couple moves in the right direction :

1. checking Request.UrlReferrer.Host against Request.Url.Host at least
prevents against the simple hack of copy/pasting a url from a link button
into a brower.

2. hashing the track click url and tacking it onto the end as an additional
param and on link click re-constructing the hash server-side and comparing
to the link's hash would prevent against automated software that sent
endless tracking requests with small variations
 
Back
Top