How to determine if a request originated from a link click , or otherwise
( such as pasting the url the browser ).

This would seem to work ...

if (Request.Url.Host == Request.UrlReferrer.Host)
{


But what if Request.UrlReferrer == null ... ?

Any other ideas ?

"John A Grandy" <johnagrandy-at-yahoo-dot-com> wrote in message
news:(E-Mail Removed)...

> How to determine if a request originated from a link click , or otherwise
> ( such as pasting the url the browser ).
>
> This would seem to work ...
>
> if (Request.Url.Host == Request.UrlReferrer.Host)
> {
>
>
> But what if Request.UrlReferrer == null ... ?

Request.UrlReferrer, aka Request.ServerVariables["HTTP_REFERER"] cannot be
relied upon at all...
http://www.google.co.uk/search?hl=en...reliable&meta=

Just like the IP address, it is so easy to spoof it
(http://www.datatrendsoftware.com/spoof.html), to the extent where the best
advice I can give you is simply not to try. Think about why you *REALLY*
need to know this information, and then work around it...

Hmmm ...

Ok. Well, for sites with a tracking page that writes some tracking data to
db and then redirects to the target url, what are other solutions to stop
hackers from manipulating the tracking data ?

"Mark Rae" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> "John A Grandy" <johnagrandy-at-yahoo-dot-com> wrote in message
> news:(E-Mail Removed)...
>
>> How to determine if a request originated from a link click , or otherwise
>> ( such as pasting the url the browser ).
>>
>> This would seem to work ...
>>
>> if (Request.Url.Host == Request.UrlReferrer.Host)
>> {
>>
>>
>> But what if Request.UrlReferrer == null ... ?
>
> Request.UrlReferrer, aka Request.ServerVariables["HTTP_REFERER"] cannot be
> relied upon at all...
> http://www.google.co.uk/search?hl=en...reliable&meta=
>
> Just like the IP address, it is so easy to spoof it
> (http://www.datatrendsoftware.com/spoof.html), to the extent where the
> best advice I can give you is simply not to try. Think about why you
> *REALLY* need to know this information, and then work around it...
>

"John A Grandy" <johnagrandy-at-yahoo-dot-com> wrote in message
news:(E-Mail Removed)...

> Ok. Well, for sites with a tracking page that writes some tracking data to
> db and then redirects to the target url,

LOL! All that tells them is that the target URL has come from the tracking
page! The initial request to the tracking page could have come from
anywhere - don't you get it?

> what are other solutions to stop hackers from manipulating the tracking
> data ?

None that I know of, and this is another of those occasions where I would
dearly *love* to be proven wrong...

I've seen all sorts of "smoke and mirrors" solutions involving encrypted
querystrings and God knows what - none of them works...

Guess I'm not as cynical as you.

I do see a couple moves in the right direction :

1. checking Request.UrlReferrer.Host against Request.Url.Host at least
prevents against the simple hack of copy/pasting a url from a link button
into a brower.

2. hashing the track click url and tacking it onto the end as an additional
param and on link click re-constructing the hash server-side and comparing
to the link's hash would prevent against automated software that sent
endless tracking requests with small variations


"Mark Rae" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> "John A Grandy" <johnagrandy-at-yahoo-dot-com> wrote in message
> news:(E-Mail Removed)...
>
>> Ok. Well, for sites with a tracking page that writes some tracking data
>> to db and then redirects to the target url,
>
> LOL! All that tells them is that the target URL has come from the tracking
> page! The initial request to the tracking page could have come from
> anywhere - don't you get it?
>
>> what are other solutions to stop hackers from manipulating the tracking
>> data ?
>
> None that I know of, and this is another of those occasions where I would
> dearly *love* to be proven wrong...
>
> I've seen all sorts of "smoke and mirrors" solutions involving encrypted
> querystrings and God knows what - none of them works...
>