determine origin of request

J

John A Grandy

How to determine if a request originated from a link click , or otherwise
( such as pasting the url the browser ).

This would seem to work ...

if (Request.Url.Host == Request.UrlReferrer.Host)
{


But what if Request.UrlReferrer == null ... ?

Any other ideas ?
 
M

Mark Rae

How to determine if a request originated from a link click , or otherwise
( such as pasting the url the browser ).

This would seem to work ...

if (Request.Url.Host == Request.UrlReferrer.Host)
{


But what if Request.UrlReferrer == null ... ?
Click to expand...

Request.UrlReferrer, aka Request.ServerVariables["HTTP_REFERER"] cannot be
relied upon at all...
http://www.google.co.uk/search?hl=en&rls=GGLG,GGLG:2006-28,GGLG:en&q="HTTP_REFERER"+reliable&meta=

Just like the IP address, it is so easy to spoof it
(http://www.datatrendsoftware.com/spoof.html), to the extent where the best
advice I can give you is simply not to try. Think about why you *REALLY*
need to know this information, and then work around it...
 
J

John A Grandy

Hmmm ...

Ok. Well, for sites with a tracking page that writes some tracking data to
db and then redirects to the target url, what are other solutions to stop
hackers from manipulating the tracking data ?

Mark Rae said:
How to determine if a request originated from a link click , or otherwise
( such as pasting the url the browser ).

This would seem to work ...

if (Request.Url.Host == Request.UrlReferrer.Host)
{


But what if Request.UrlReferrer == null ... ?
Click to expand...

Request.UrlReferrer, aka Request.ServerVariables["HTTP_REFERER"] cannot be
relied upon at all...
http://www.google.co.uk/search?hl=en&rls=GGLG,GGLG:2006-28,GGLG:en&q="HTTP_REFERER"+reliable&meta=

Just like the IP address, it is so easy to spoof it
(http://www.datatrendsoftware.com/spoof.html), to the extent where the
best advice I can give you is simply not to try. Think about why you
*REALLY* need to know this information, and then work around it...
Click to expand...
 
M

Mark Rae

Ok. Well, for sites with a tracking page that writes some tracking data to
db and then redirects to the target url,
Click to expand...

LOL! All that tells them is that the target URL has come from the tracking
page! The initial request to the tracking page could have come from
anywhere - don't you get it?
what are other solutions to stop hackers from manipulating the tracking
data ?
Click to expand...

None that I know of, and this is another of those occasions where I would
dearly *love* to be proven wrong...

I've seen all sorts of "smoke and mirrors" solutions involving encrypted
querystrings and God knows what - none of them works...
 
J

John A Grandy

Guess I'm not as cynical as you.

I do see a couple moves in the right direction :

1. checking Request.UrlReferrer.Host against Request.Url.Host at least
prevents against the simple hack of copy/pasting a url from a link button
into a brower.

2. hashing the track click url and tacking it onto the end as an additional
param and on link click re-constructing the hash server-side and comparing
to the link's hash would prevent against automated software that sent
endless tracking requests with small variations
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Determine availability of JScript and Cookies 1
Origin to Excel conversion 1
FreeDOS turns 25 years old: An origin story 2
Targetting the frameset from the address bar 2
viewing the contents of a POST request 3
How to determine IIS Application name from asp.net? 2
Clarification of Page and Resource Request Processing Sequence 1
Determine referrer website 1

Top