problems with Request.UrlReferrer

  • Thread starter Thread starter Harley
  • Start date Start date
H

Harley

i have found a problem when using Request.UrlReferrer. if i call the page
using a javascript function, the referrer is null...
i need to call a page and open it on a specific browser size, with no
toolbar, menu, etc. and also need to check that the call comes from a
specific page.
how to make request.UrlReferrer work?
 
Harley said:
i have found a problem when using Request.UrlReferrer. if i call the page
using a javascript function, the referrer is null...
i need to call a page and open it on a specific browser size, with no
toolbar, menu, etc. and also need to check that the call comes from a
specific page.
how to make request.UrlReferrer work?
Click to expand...

What makes you think it's broken?

If you want the page to know which page it came from, even when invoked by
your JavaScript function, then send the URL in a query string.
 
but theres an html header that automatically gives you that... the
Request.Referrer function read the header and exposes its value...
in my case, i need to know the url of the referrer because the system will
only allow calls from specific URLs. if you pass it as a parameter manually,
the security is useless.
everything work ok using standard <A HREF> but a call using javascripts
windows.open gives a blank referrer.
 
Harley said:
but theres an html header that automatically gives you that...
Click to expand...

Yes, but are you sure that this header was supplied? Perhaps it wasn't.
the
Request.Referrer function read the header and exposes its value...
in my case, i need to know the url of the referrer because the system will
only allow calls from specific URLs. if you pass it as a parameter manually,
the security is useless.
Click to expand...

The security is useless anyway! The header comes from the client as well.
Surely if the client can spoof the querystring, then the client can spoof
the Referrer header.

You should find another security method.
 
sure, youre right the client can spoof with the header... the check is not
supposed to provide a tight security, but an additional annoyance to
unauthorized calls.
i though that window.open ('www.server.com/page.htm') would create a regular
normal http header, including the referrer. am i wrong?
 
Harley said:
sure, youre right the client can spoof with the header... the check is not
supposed to provide a tight security, but an additional annoyance to
unauthorized calls.
i though that window.open ('www.server.com/page.htm') would create a regular
normal http header, including the referrer. am i wrong?
Click to expand...

If you look at the header, I believe you'll find that you're wrong.
 
Back
Top