views:

5194

answers:

8

I'm using a Response.Redirect to redirect users to another server to download a file, and the other server is checking the header to ensure it came from the correct server... however it seems Response.Redirect strips the headers from the Response.

Does anybody know how i can add the headers back? I've tried:

Response.AddHeader("Referer", "www.domain.com");

But the receiving page tests false when i check if the Referrer header is set.

Any suggestions how i can get this working, other than displaying a button for the user to click on (i'd like to keep the url hidden from the user as much as possible)

thanks greg

A: 

I don't think it's possible. What you are sending back to the client is a Location header that tells the client to load the page referred to instead of the page it originally requested. In this case the client is not coming from a link and thus does not set the referrer header. It's basically as if the user typed the redirect url in the location bar in his browser.

You may be able to save the referrer in the session, or encode it in the URL as a query parameter. Like the Forms login does with ReturnUrl.

tvanfosson
A: 

Is Server.Transfer an option?

There are some caveats though that you will need to look into. E.G. Keeps the original URL, Authorization, etc... More details in the link.

Keeping the original URL may be advantageous in this circumstance.

Brian Schmitt
Server.Transfer is only an option when its on the same server, correct? In this case, I need to redirect to a different server, so probably not going to work :(
Gregorius
Correct - Same server...
Brian Schmitt
ahh well, not to be then.
Gregorius
A: 

The referrer Header that your second server gets is generated by the browser and it will be unlikely that you can change it in any sensible way.

Did you try adding the Referrer to the URL and then reading that on your second server instead?

Response.Redirect("url?Referer=" + Server.UrlEncode(Request.UrlReferrer));
Martin Brown
A: 

Set an auth cookie (with a keyed hash and a 5-minute expiration), send a redirect response, browser sends a new request to the second server (if it's the same domain) along with the auth coookie, second server checks the cookie, ensures that only the first server could have set it, and sends back the content to the browser.

Justice
+1  A: 

That will go against the Referer (sic) header definition:

The Referer[sic] request-header field allows the client to specify, for the server's benefit, the address (URI) of the resource from which the Request-URI was obtained (the "referrer", although the header field is misspelled.)

If you are redirecting this is clearly not the case to add this header.

If you need this information try with a cookie or some session variable, or even better a variable in the URL as you have already been told.

Leandro López
A: 

If the redirect is to the same process I'd use a Session value to store the referrer URI to allow the secondary page to pick it up. I use that on my system to maintain the referrer between the redirect of http connections to our https system.

Lazarus
What if the user is making two request concurrently? I know, it is mostly impossible to happen, but who knows...
Leandro López
It's a good question. I suspect the second request will overwrite the Session["referrer"] value that I've created, however my code will have already stored the first request in a DB table so I still have it for reporting purposes but overkill in this scenario.
Lazarus
+4  A: 

There is an HTML hack available.

<form action="http://url.goes.here" id="test" method="GET"></form>
<script type="text/javascript">
  document.getElementById("test").submit();
</script>

If you need to trigger that from a code behind, that can be done too:

Response.Write( @"<form action="http://url.goes.here" id="test" method="GET"></form>
                  <script type="text/javascript">
                     document.getElementById("test").submit();
                  </script> ");

As Inkel might point out, that is a loose interpretation of the Referer[sic] spec. It will do what you want though.

matt.mercieca
Yep, that's the only thing that worked for me in both IE7 and FF3
Evgeny
A: 

+1 to inkel's comment above.

Though if you don't care about the spec and just want to do it anyway, you can avoid using Response.Redirect and instead build the response headers yourself.

Response.StatusCode = 302; //temp redirect
Response.Headers.Add("Location", "your/url/here");
Response.Headers.Add("Referer", "something.com");
Response.End();

This is off the top of my head, you might need to have a few other things in the response header.

Ben Scheirman