Will a 302 redirect maintain the referer string?

Question

Hello all,

I need to redirect the user from one page to another, but I need to maintain the original referer string. So, for example, if they start out on http://www.othersite.com/pageA.jsp, click a link that takes them to http://www.mysite.com/pageB.jsp, which then executes a 302 redirect to http://www.mysite.com/pageC.jsp, I need the referer string to contain "http://www.othersite.com/pageA.jsp"

Is this the normal behavior for a 302 redirect? Or would my original referer get dropped, in favor of "http://www.mysite.com/pageB.jsp" ? That would not be desirable.

I don't know if it makes any difference, but I'm working in JSP, and I'm using response.sendRedirect() to execute the 302 redirect.

I should mention that I did an experiment with this, and it seems to have kept the original referer string ("http://www.othersite.com/pageA.jsp") but I just wanted to make sure this was the normal default behavior, and not something weird on my end.

Thank you for your help.

EDITED TO ADD :

Although I'm currently using a 302 redirect, I could probably use a 301 redirect instead. Do you know if the behavior for 301 redirects is any more reliable?

Answer 1

Good question. In this case, the sending of the referer depends entirely on the browser (because the browser is told to make another request to the new resource).

RFC 2616 remains silent about the issue:

The requested resource resides temporarily under a different URI. Since the redirection might be altered on occasion, the client SHOULD continue to use the Request-URI for future requests. This response is only cacheable if indicated by a Cache-Control or Expires header field.

I wouldn't trust the browser to send the right referer along. I bet there is at least one that sends something different than the others.

Workaround

If you can, why not add a ?override_referer=<old_url> parameter to the URL you redirect to, and parse that value instead of HTTP_REFERER.

That way you can be sure to always get the right result, and you're not losing anything in security: The referer can be faked either way.

Answer 2

Short answer is it's not specified in the relevant RFC 2616 http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.36 either for the Referer header or the 302 status code.

Your best bet is to do a test with several browsers and see if there's a consensus behaviour.

For full belt and braces, encode the original referrer in the redirect URL so you can guarantee to retrieve it.

Answer 3

You can do this server-side. For instance, with Apache, you can use a Reverse Proxy to achieve exactly this:

A reverse proxy is a gateway for servers, and enables one web server to provide content from another transparently. As with a standard proxy, a reverse proxy may serve to improve performance of the web by caching; this is a simple way to mirror a website. Loadbalancing a heavy-duty application, or protecting a vulnerable one, are other common usages. But the most common reason to run a reverse proxy is to enable controlled access from the Web at large to servers behind a firewall.