views:

73

answers:

4

Well this one freaks me out. I used a Http Header check tool to check the headers of my webpage and guess what. In every request the response was 302 instead of 200.

domain.con
www.domain.con
http://www.domain.con

So, am i missing something here? I have not placed any redirect in any way.

So where the f#$% my website redirects? Is there a security hole?

UPDATE: While googling found this one

A: 

domain.com is not the same as www.domain.com - that's a redirect.

Oded
I guess i understand that, but both shouldn't return 200?
Chocol8
The redirect will return a 302 (redirect), the last one should return a 200.
Oded
Well, it should but it does NOT. It returns 302 too.
Chocol8
Have you looked at the complete trace using fiddler? Where is the second redirect going to?
Oded
A: 

It's possible that you forgot to add a final slash to the end of your URL. Most webservers will redirect you to the "canonical" location that includes the slash. If you include the slash, you may get the response you're looking for.

Ivo
The response was once again 302.
Chocol8
+1  A: 

Maybe a case of this:

302 Found

This is the most popular redirect code, but also an example of industrial practice contradicting the standard. HTTP/1.0 specification (RFC 1945) required the client to perform a temporary redirect (the original describing phrase was "Moved Temporarily"), but popular browsers implemented 302 with the functionality of a 303 See Other. Therefore, HTTP/1.1 added status codes 303 and 307 to distinguish between the two behaviours. However, the majority of Web applications and frameworks still use the 302 status code as if it were the 303.

303 See Other (since HTTP/1.1)

The response to the request can be found under another URI using a GET method. When received in response to a PUT, it should be assumed that the server has received the data and the redirect should be issued with a separate GET message.

http://en.wikipedia.org/wiki/List_of_HTTP_status_codes

Radu
A: 

Are you using forms authentication? and log in page is some other page than the default page say auth.aspx? If this is the case then you will allways get 302 code and the page will be redirected to login page.

ajay_whiz