Currently, we're storing the user's HTTP_REFERER so we can redirect the user back to the previous page they were browsing before they logged in.
Http Referer comes from the client and can be spoofed or blank. Is there a more secure/reliable method to deliver this handy user redirect?
somehow running
history.go(-1);
is the only alternative i can think of (javascript)
Do you have sessions?
If so, you can track on the server side which pages they have accessed in this session and send them back to the previous one.
(Caching might mess this up, but you could set the cache-control: header appropriately)
But this all seems more pain than gain. Is there any real issue in sending them back to a spoofed page, if they're silly enough to do that?
Paul.
Usually I pass it through with the login form.
<form action="login" method="post">
<input type="hidden" name="url" value="... whatever the current url is ...">
<input type="text" name="username">
<input type="text" name="password">
</form>
Not that I know of. But then, are you supposing that normal users will be around faking their Referer just to be redirected to the wrong place? That looks unlikely.
I worry about the need to redirect users to where they came from without even asking them about it. I'd either have a preferences option to decide to allow it or not (and where to), or ask them previously to the redirection, being able to deny the redirection.
If RoBorg's assumption that you'll be offering login screens on different sites than your own and you want to store the source site, then of course you can use the same form to send the site they logged on from.
The referer would probably work fine for the majority of users, although I guess you'd need to check for XSRF. What we do is, when someone hits an area where they have to login, they get redirected to the login paeg with the URL of where they were stored in the session.
Once they're logged in, they are then redirected to the previous URL.
Of course, this very much depends on how your authentication is setup!
I actually have a function that makes use of several different methods for redirecting depending on which path the user took to get to the login page.
The function I call after the user logs in looks something like:
Protected Sub doRedirect(ByVal sender As Object, ByVal e As System.EventArgs)
If Not Request.QueryString("rtn") Is Nothing Then
Response.Redirect(Request.QueryString("rtn").ToString)
ElseIf Me.hidden_return.Value <> "" Then
Response.Redirect(Me.hidden_return.Value)
ElseIf Not Request.UrlReferrer Is Nothing AndAlso Request.UrlReferrer.Segments(Request.UrlReferrer.Segments.Length - 1) <> "login.aspx" Then
Response.Redirect(Request.UrlReferrer.ToString)
Else
Response.Redirect("default.aspx")
End If
End Sub
Obviously this could all be spoofed on the clients end, but I don't really care if they want to spoof themselves.