Response.Redirect strips Header Referrer - Possible to Add it Back?

Question

I'm using a Response.Redirect to redirect users to another server to download a file, and the other server is checking the header to ensure it came from the correct server... however it seems Response.Redirect strips the headers from the Response.

Does anybody know how i can add the headers back? I've tried:

Response.AddHeader("Referer", "www.domain.com");

But the receiving page tests false when i check if the Referrer header is set.

Any suggestions how i can get this working, other than displaying a button for the user to click on (i'd like to keep the url hidden from the user as much as possible)

thanks greg

Answer 1

I don't think it's possible. What you are sending back to the client is a Location header that tells the client to load the page referred to instead of the page it originally requested. In this case the client is not coming from a link and thus does not set the referrer header. It's basically as if the user typed the redirect url in the location bar in his browser.

You may be able to save the referrer in the session, or encode it in the URL as a query parameter. Like the Forms login does with ReturnUrl.

Answer 2

Is Server.Transfer an option?

There are some caveats though that you will need to look into. E.G. Keeps the original URL, Authorization, etc... More details in the link.

Keeping the original URL may be advantageous in this circumstance.

Answer 3

The referrer Header that your second server gets is generated by the browser and it will be unlikely that you can change it in any sensible way.

Did you try adding the Referrer to the URL and then reading that on your second server instead?

Response.Redirect("url?Referer=" + Server.UrlEncode(Request.UrlReferrer));

Answer 4

Set an auth cookie (with a keyed hash and a 5-minute expiration), send a redirect response, browser sends a new request to the second server (if it's the same domain) along with the auth coookie, second server checks the cookie, ensures that only the first server could have set it, and sends back the content to the browser.

Answer 5

That will go against the Referer (sic) header definition:

The Referer[sic] request-header field allows the client to specify, for the server's benefit, the address (URI) of the resource from which the Request-URI was obtained (the "referrer", although the header field is misspelled.)

If you are redirecting this is clearly not the case to add this header.

If you need this information try with a cookie or some session variable, or even better a variable in the URL as you have already been told.

Answer 6

If the redirect is to the same process I'd use a Session value to store the referrer URI to allow the secondary page to pick it up. I use that on my system to maintain the referrer between the redirect of http connections to our https system.

Answer 7

There is an HTML hack available.

<form action="http://url.goes.here" id="test" method="GET"></form>
<script type="text/javascript">
  document.getElementById("test").submit();
</script>

If you need to trigger that from a code behind, that can be done too:

Response.Write( @"<form action="http://url.goes.here" id="test" method="GET"></form>
                  <script type="text/javascript">
                     document.getElementById("test").submit();
                  </script> ");

As Inkel might point out, that is a loose interpretation of the Referer[sic] spec. It will do what you want though.

Answer 8

+1 to inkel's comment above.

Though if you don't care about the spec and just want to do it anyway, you can avoid using Response.Redirect and instead build the response headers yourself.

Response.StatusCode = 302; //temp redirect
Response.Headers.Add("Location", "your/url/here");
Response.Headers.Add("Referer", "something.com");
Response.End();

This is off the top of my head, you might need to have a few other things in the response header.