1

after discovering the unreliability of HTTP_REFERER, I was wondering what was the best alternative to indicate an operation the correct url of origin which then perform an internal redirect. After reading various topics I seemed to understand that only possible solutions are:

1) specify the referer url directly as a parameter of the operation.

2) create a custom referer storage system using session.

In my opinion, the first solution is logically more correct and free of contraindications. Using the second solution and storing the referrer in session on every page request is possible that using the site in the various tabs referrer stored does not correspond to the page where we're actually sending the operation; Despite this bug (in my opinion quite ugly) this second solution seemed the most recommended by experts. Why? Did I miss something? Thank you all for your attention and sorry for my low level of English.

Vivek Singh
  • 2,453
  • 1
  • 14
  • 27
Domenico
  • 82
  • 1
  • 13
  • With first option you allow me to edit your url parameter so i can take control of referer and this can be insecure, on second you can control it and it will be more secure. – maztch Apr 28 '15 at 09:57
  • I had considered this possibility ... however, a user can still wanting to manipulate any link and any form on the site and basically the referer is nothing more than a link. At best, you could build a small helper that checks the referer is included in a range of routes enabled. – Domenico Apr 28 '15 at 10:03

1 Answers1

0

storing the referrer in session on every page request is possible that using the site in the various tabs referrer stored does not correspond to the page where we're actually sending the operation; Despite this bug (in my opinion quite ugly) this second solution seemed the most recommended by experts

You could notify server to update session with current page before leaving - this way next loaded page will know what was the previous one without passing anything in URL.

That said though this solution still have some faults - it will break on any connection failure or if someone loads multiple pages in multiple tabs and requests go out of synch (it's relying on an assumption that between javascript sending request on leaving the page and server receiving request to load a next page nothing else occurs).

Best way would be to use both - this and HTTP_REFERER as a fall-back option.

Other than that mentioned passing of current pages in URL will do, but it's understandable why you try to avoid it.

Community
  • 1
  • 1
MarcinWolny
  • 1,600
  • 2
  • 27
  • 40
  • its really a good idea but this solution need the use of javascript... with javascript enabled i do all the operations in ajax so i have not the problem... – Domenico Apr 28 '15 at 12:42
  • So.. it needs to use javascript or can't use javascript? ;) If it can't than there really are only 2 ways - session or passing parameter in URL. You could try cookies, but the end result will be pretty much identical to sessions. – MarcinWolny Apr 28 '15 at 15:28