tags:

views:

53

answers:

3
+1  Q: 

How to get IP of server that initiated redirect

Hi,

I hope you could help me with the following question:

A user clicks a hyperlink in a page. Server A handles the request and redirects the client to a URL on Server B (more specifically I am using the Response.Redirect method in .NET on server A).

I have been asked to restrict access to Server B to redirects originating from Server A only (by blocking IP's other than Server A's). At first I thought this could be achieved by using the HTTP 'referer' header, however, it seems it is up to the browser to set this to a URL (rather than IP), and it is not guaranteed to do so.

I guess there is no way to set the HTTP 'referer' on server A in .NET (to server A's IP)? (my intuition is that would be a security hole). So my question is, how can I restrict access to Server B to redirects originating from Server A?

Any help much appreciated,

Martijn

+1  A: 

No you cannot do it that way, browsers only set the referrer in certain conditions and a client can spoof this.

The referrer header is a request header - not a response header, so Server A cannot set this.

You would have to do something server side (a token perhaps) so long as you are in control of both servers, then pass the token as a parameter in the URL you redirect to.

Chris Diver  2010-07-26 10:12:52
+2  A: 

you could send a signed message in the redirect process, so that server B can verify that it was signed by server A

Tim Mahy  2010-07-26 10:12:59
+1  A: 

Let me tell you how I understood your question: You have a set of web pages(p1,p2,p3,p4) distributed on two servers A(p1,p2) and B(p3,p4). clients can click links to pages p1,p2 that redirect the user to pages p3,p4 through server A to server B.

you want users be restricted so that they cannot access pages p3,p4. In other words get server B restrict access to pages p3,p4 except through redirects generated by server A.

If I got the point this way you can let server A appends a query string to the url while redirect and let server B check that query string and instead of using Response.Redirect from server A you can use Server.Transfer in order to hide the url from the user.

SubPortal  2010-07-26 10:55:11
Exactly. Thanks for your answer. Much appreciated.
martijn_himself  2010-07-26 11:05:25

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?