tags:

views:

45

answers:

1
+1  Q: 

Changing http-referer via a redirect

We are signing up to an online resource that uses http-referer as authentication (bad idea, I know) to prove that the request comes from our intranet (IP address is not available for this as there is a higher level proxy).

Unfortunately it might be that their system requires a specific referer URL rather than taking the domain. This will mean when we want to link to the resource from a different page we will need to either register yet another URL with them or link to effectively a splash page they have to click through again.

If we need to go down this route I'd like to make it as unnoticeable as possible and so was wondering what the best approach would be to achieve the following:

  1. http://intranet/somerandomurl has a link to
  2. http://intranet/AuthorisedUrl which needs to be the referrer to
  3. http://externalsite/

Is there any way to do this without literally making people click on a link? (the vast majority of browsers will be IE6 or IE7 if that helps, if some need to click on the link but I can use JS for most I'm ok with that).

A: 

Put this code on link 2. For those with JavaScript enabled, 

<script type="text/javascript">
<!--
window.location = "http://externalsite/"
//-->
</script>

This will redirect them to http://externalsite/ as soon as it executes. Put this as early on within the <head> as possible, so that the redirect occurs as early in the page loading as possible

Then just put a manual link for those with JavaScript disabled.

Either way, link 2 will be the HTTP_REFERER for externalsite.

(Caveat: This is a really, really unsecure method of authentication.)

EDIT: It looks like there's a known issue with IE not passing HTTP_REFERER on javascript redirects. Here is the workaround: http://webbugtrack.blogspot.com/2008/11/bug-421-ie-fails-to-pass-http-referer.html

yc  2010-09-02 14:50:05
I was thinking it'd have to be client-side JS. Are there browser inconsistency issues with this though, with some changing the referer as wanted but others not?(and yeah I agree with that caveat but it's not our system so nothing I can do about that).
Chao  2010-09-02 14:54:23
There shouldn't be any browser inconsistencies, but you can test it out here: http://htmlto.com/redirect/1.html . Clicking the link will take you to 2.html, which will Javascript redirect to 3.php, which is set to echo the HTTP_REFERER. It should say 2.html; if it ever says 1.html, you've got a browser inconsistency.
yc  2010-09-02 15:06:47
I stand corrected; IE won't pass the http_referer off of a JavaScript redirect; see my edit for the fix.
yc  2010-09-02 15:13:47
The test isn't working (the document.body reference comes before there is a body element loaded in the DOM) but the issue with IE is the main thing needed so answer accepted.
Chao  2010-09-06 14:13:22
Oops, thanks! Fixed and tested.
yc  2010-09-06 16:21:13
Still doesn't work. The script has to go in the body tag or be in a function in the head that's called in the body, having it as a function like on webbugtrack also has the advantage of being reusable. I also replaced the browser sniffing with IE conditional comments.
Chao  2010-09-06 16:27:55
Weirdly it works in my IE7-8. Moved it into the body anyways. Oh well, as long as it works for you.
yc  2010-09-06 18:25:26

related questions

Google is changing its referrer URLs from /search into /url. Any known issues?
What would HTTP referrer be?
IFrame referer question - asp.net c#
http_referer lost using https
How do I get the siteURL calling my page when it is loaded in an iFrame?
PHP HTTP_REFERRER - how to detect last page?
Sending refer(r)er though it's turned off in the browser?
AJAX modal dialog, fire onload if referer == <whatever>
How can I append HTTP_REFERER to query string using htaccess?
how to log which page was "not found"? (Trying custom error page with htaccess, php, http_referer)
What are the most common reasons for requests without referrer?
Is it possible to capture search term from Google search?
is it possible to know where the user is coming from when he uses the back button?
in what situation does the HTTP_REFERER not work?
Where do i 'setcookie' to record http_referer in Drupal 6?
PHP - Referer redirect script
how should we validate http header referrer in aspx .net
How do you spoof HTTP_REFERER?
php/html - http_referer
Is this method good/secure enough for showing errors to users? - PHP
Basic php form help - referer title
HTTP_REFERER substitute that IE 6 will provide?
Which browsers/plugins block HttpReferer from being sent?
Determining Referer in PHP
Block user access to internals of a site using HTTP_REFERER