Server Variables Question

I have a simple piece of code which is being difficult.
I have a web page (in classic asp) that will redirect to a login page if
they didn't come from that page.
Which means that they have to access my page via the login page.
The login page...which is done in asp.net and resides on a server will
be directed to a default page once logged in. On this default
page...there's a link to access my page which is on another server and
done in classic asp.
On my page I test to see if they came from the default page.
This is my code:
If request.servervariables("HTTP_REFERER") <>
"http://www.thedefaultpage.com" then
response.redirect "http://www.theloginpage.com"
end if
When I do a response.write request.servervariables("HTTP_REFERER") it
show up empty. Is there an issue with using server variables from an
aspx page to an asp page?
Thanks
Rob
*** Sent via Developersdex http://www.examnotes.net ***
Don't just participate in USENET...get rewarded for it!Shouldn't that be :
If request.servervariables("HTTP_REFERER") <>
"http://www.yourserver.com/thedefaultpage.asp" then
response.redirect "http://www.yourserver.com/loginpage.aspx"
end if
?
Juan T. Llibre
ASP.NET MVP
===========
"Rob" <robert@.hotmail.com> wrote in message
news:ea4n6vABFHA.2076@.TK2MSFTNGP15.phx.gbl...
> I have a simple piece of code which is being difficult.
> I have a web page (in classic asp) that will redirect to a login page if
> they didn't come from that page.
> Which means that they have to access my page via the login page.
> The login page...which is done in asp.net and resides on a server will
> be directed to a default page once logged in. On this default
> page...there's a link to access my page which is on another server and
> done in classic asp.
> On my page I test to see if they came from the default page.
> This is my code:
> If request.servervariables("HTTP_REFERER") <>
> "http://www.thedefaultpage.com" then
> response.redirect "http://www.theloginpage.com"
> end if
> When I do a response.write request.servervariables("HTTP_REFERER") it
> show up empty. Is there an issue with using server variables from an
> aspx page to an asp page?
> Thanks
> Rob
>
> *** Sent via Developersdex http://www.examnotes.net ***
> Don't just participate in USENET...get rewarded for it!
Ya, I tried that and I tried just the domain and neither of them worked.
I wasn't sure exactly what path would be returned so I tried to display
it on the page and it's an empty string.
Rob
*** Sent via Developersdex http://www.examnotes.net ***
Don't just participate in USENET...get rewarded for it!
You do realize, Rob, that if clients have bookmarked
any .aspx page in your asp.net server ( *not* on the
.asp server ) that HTTP_REFERER will be empty,
don't you ?
That would mean that the client wasn't referred from
your .asp page, yet they'd be allowed to view your
.aspx page without being re-directed.
Juan T. Llibre
ASP.NET MVP
===========
"Rob" <robert@.hotmail.com> wrote in message
news:OvV4KGBBFHA.2180@.TK2MSFTNGP12.phx.gbl...
> Ya, I tried that and I tried just the domain and neither of them worked.
> I wasn't sure exactly what path would be returned so I tried to display
> it on the page and it's an empty string.
> Rob
also a lot of proxy server strip the HTTP_REFERER header
-- bruce (sqlwork.com)
"Juan T. Llibre" <nomailreplies@.nowhere.com> wrote in message
news:OhsWjWBBFHA.612@.TK2MSFTNGP09.phx.gbl...
| You do realize, Rob, that if clients have bookmarked
| any .aspx page in your asp.net server ( *not* on the
| .asp server ) that HTTP_REFERER will be empty,
| don't you ?
|
| That would mean that the client wasn't referred from
| your .asp page, yet they'd be allowed to view your
| .aspx page without being re-directed.
|
|
|
|
| Juan T. Llibre
| ASP.NET MVP
| ===========
| "Rob" <robert@.hotmail.com> wrote in message
| news:OvV4KGBBFHA.2180@.TK2MSFTNGP12.phx.gbl...
| >
| > Ya, I tried that and I tried just the domain and neither of them worked.
| > I wasn't sure exactly what path would be returned so I tried to display
| > it on the page and it's an empty string.
| >
| > Rob
|
|
Actually it's the other way around. They login to the aspx page and when
the click on the link on the default page, they go to my asp page.
They're also passing a querystring parameter on that link and I check
for that too.
I realize the bookmark issue and I'm checking to see if the querystring
is empty or if they were referred from the default page. That ensures
that they have to access my page through the login.aspx page.
I've ommited this part because I didn't think it was relevant. I just
can't see why it would show up as empty string when trying to retrieve
the value.
I did some testing on our own server and showing the value of
request.servervariables("HTTP_REFERER") was not a problem.
Thanks
Rob
*** Sent via Developersdex http://www.examnotes.net ***
Don't just participate in USENET...get rewarded for it!
Is there any way of configuring the proxy server to not do that?
Rob
*** Sent via Developersdex http://www.examnotes.net ***
Don't just participate in USENET...get rewarded for it!
On Wed, 26 Jan 2005 18:38:09 -0800, Rob <robert@.hotmail.com> wrote:

>Actually it's the other way around. They login to the aspx page and when
>the click on the link on the default page, they go to my asp page.
>They're also passing a querystring parameter on that link and I check
>for that too.
>I realize the bookmark issue and I'm checking to see if the querystring
>is empty or if they were referred from the default page. That ensures
>that they have to access my page through the login.aspx page.
>I've ommited this part because I didn't think it was relevant. I just
>can't see why it would show up as empty string when trying to retrieve
>the value.
>I did some testing on our own server and showing the value of
>request.servervariables("HTTP_REFERER") was not a problem.
>Thanks
>Rob
>
>*** Sent via Developersdex http://www.examnotes.net ***
>Don't just participate in USENET...get rewarded for it!
Doesn't it also mean that with the correct faked referer details you
wouldn't have to log in?
I
Iain Norman | http://www.eliteforum.org
Does anyone know a better way of doing this? The client just wanted 2
things...that the user comes from the login page and that the guid that
is passed to me matches a field in another database where we keep their
contact information.
Worse case scenario is that someone fake's the referer and has to
register for an event where he would have to pay online for this guy.
ROb
*** Sent via Developersdex http://www.examnotes.net ***
Don't just participate in USENET...get rewarded for it!
Sounds like you need to check two things here: 1) That they are coming from
the login page, and 2) That they have successfully logged in. If either one
of these criteria is false, they need to be sent back to the login page,
right?
I would think that once the user logs in successfully, you could store the
GUID in a session variable? Just perform a check on the first page that the
HTTP_REFERRER is correct and that they are logged in -- if so, set the
Session variable to the GUID on this page. On subsequent pages just check
that the Session variable exists and is set to the valid GUID (you can
either just check that the session variable actually exists, or for more
security check it's validity against the database).
That's how I'm understanding your question anyway... I wouldn't pass
confidential info. like a GUID via QueryString.
Thanks
"Rob" <robert@.hotmail.com> wrote in message
news:OBUJOcgBFHA.2608@.TK2MSFTNGP10.phx.gbl...
> Does anyone know a better way of doing this? The client just wanted 2
> things...that the user comes from the login page and that the guid that
> is passed to me matches a field in another database where we keep their
> contact information.
> Worse case scenario is that someone fake's the referer and has to
> register for an event where he would have to pay online for this guy.
> ROb
>
> *** Sent via Developersdex http://www.examnotes.net ***
> Don't just participate in USENET...get rewarded for it!