R
Rudy H
Hello.
My portal creates a link to an e-store hosted by another
vendor. The vendor verifies the user is coming directly
from my portal via the Http-Referer header. (The security
concerns that may or may not be relevant have been
overlooked, but any insight helpful.)
This referer-validation mechanism has been in place for a
few weeks with a user base of 1000+ users. However, we
have had two reported cases of user's not being able to
gain access to the vendor-hosted e-store. It appears that
the HTTP-REFERER header validation is failing.
I set up a test scenario on my portal that simply creates
a link on one page to a second page, where the second
page prints out the referer value using
HttpServletRequest.getHeader("referer"). The link has
been created using the standard anchor tag.
-------------- test.jsp -----------------
<html>
<head>
<title>Test Page</title>
</head>
<body>
<h2>Test page</h2>
<a href="test2.jsp">Click me</a>
</body>
</html>
-------------- test2.jsp -----------------
<html>
<head>
<title>Test Page</title>
</head>
<body>
<h2>Test page</h2>
<%
String referer = request.getHeader("referer");
%>
<br>The referer URL is <%= referer %>.
</body>
</html>
From my browser, I get the
expected "http://www.myportal.com" value for the referer.
However, when my user with the problem hits the test page
and then follows the link, the referer that is returned
displays the value null.
I searched the Microsoft Knowledge Base and found only
the article 178066 relevant, but it only suggests that
the REFERER header will be null under the following
scenarios:
1) javascript:somejavascriptcode -->
http://example.microsoft.com
2) file://c:\alocalhtmlfile.htm -->
http://example.microsoft.com
3) https://example.microsoft.com -->
http://www.microsoft.com
In my case, I am going from
http://www.myportal.com/test.jsp to
http://www.myportal.com/test2.jsp.
The problem user's environment:
Windows XP Pro
MS IE v6.0.2800.1106
Can anybody see why the HTTP-REFERER is returning null
for these two problem users? Is there a setting in IE
that lets users diable setting the referer header? Any
help is much appreciated!
-Rudy
My portal creates a link to an e-store hosted by another
vendor. The vendor verifies the user is coming directly
from my portal via the Http-Referer header. (The security
concerns that may or may not be relevant have been
overlooked, but any insight helpful.)
This referer-validation mechanism has been in place for a
few weeks with a user base of 1000+ users. However, we
have had two reported cases of user's not being able to
gain access to the vendor-hosted e-store. It appears that
the HTTP-REFERER header validation is failing.
I set up a test scenario on my portal that simply creates
a link on one page to a second page, where the second
page prints out the referer value using
HttpServletRequest.getHeader("referer"). The link has
been created using the standard anchor tag.
-------------- test.jsp -----------------
<html>
<head>
<title>Test Page</title>
</head>
<body>
<h2>Test page</h2>
<a href="test2.jsp">Click me</a>
</body>
</html>
-------------- test2.jsp -----------------
<html>
<head>
<title>Test Page</title>
</head>
<body>
<h2>Test page</h2>
<%
String referer = request.getHeader("referer");
%>
<br>The referer URL is <%= referer %>.
</body>
</html>
From my browser, I get the
expected "http://www.myportal.com" value for the referer.
However, when my user with the problem hits the test page
and then follows the link, the referer that is returned
displays the value null.
I searched the Microsoft Knowledge Base and found only
the article 178066 relevant, but it only suggests that
the REFERER header will be null under the following
scenarios:
1) javascript:somejavascriptcode -->
http://example.microsoft.com
2) file://c:\alocalhtmlfile.htm -->
http://example.microsoft.com
3) https://example.microsoft.com -->
http://www.microsoft.com
In my case, I am going from
http://www.myportal.com/test.jsp to
http://www.myportal.com/test2.jsp.
The problem user's environment:
Windows XP Pro
MS IE v6.0.2800.1106
Can anybody see why the HTTP-REFERER is returning null
for these two problem users? Is there a setting in IE
that lets users diable setting the referer header? Any
help is much appreciated!
-Rudy