tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Terence M. Bandoian" <tere...@tmbsw.com>
Subject Re: From HTTP to HTTPS request.getHeader("referer")
Date Sat, 01 Nov 2014 19:44:35 GMT
On 10/31/2014 11:18 AM, Mark Eggers wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 10/31/2014 5:06 AM, Léa Massiot wrote:
>> Hello and thank you for reading my post.
>>
>> I'm trying to make a webapp work with HTTPS. It was working
>> properly with HTTP. Below is the problem I have.
>>
>> Inside a servlet, in its "doPost()" method, to check whether the
>> "incoming JSP" is "example1.jsp" or "example2.jsp", I am using the
>> following piece of code:
>> -----------------------------------------------------------
>> s_referer = request.getHeader("referer");
>>
>> if(s_referer.contains("example1.jsp") == true) { b_jspReferer1 =
>> true; } if(s_referer.contains("example2.jsp") == true) {
>> b_jspReferer2 = true; }
>> -----------------------------------------------------------
>>
>> In "example1.jsp" and "example2.jsp" there is a "<form>" element
>> which "action" attribute is set to "do_example":
>> ----------------------------------------------------------- <form
>> method="post" action="do_example"> [...] </form>
>> -----------------------------------------------------------
>>
>> Now that I'm using HTTPS, "s_referer" is always equal to
>> "do_example" in the servlet. Before, it used to be either
>> "example1.jsp" in case the "incoming" JSP was "example1.jsp" and
>> "example2.jsp" in case the "incoming" JSP was "example2.jsp".
>>
>> I don't know how to correct my code to be able to discriminate
>> between the two JSPs. Can you please help me?
>>
>> I apologize in advance for the barbaric expression "incoming JSP".
>> I hope my point is understandable despite unfortunate expression.
>>
>> Best regards.
>>
>>
>>
>> -- View this message in context:
>> http://tomcat.10.x6.nabble.com/From-HTTP-to-HTTPS-request-getHeader-referer-tp5024782.html
>>
>>
> Sent from the Tomcat - User mailing list archive at Nabble.com.
>
> Times the referer will be empty:
>
> 1. entered the site URL in browser address bar itself.
> 2. visited the site by a browser-maintained bookmark.
> 3. visited the site as first page in the window/tab.
> 4. switched from a https URL to a http URL.
> 5. switched from a https URL to a different https URL.
> 6. has security software installed (antivirus/firewall/etc) which
> strips the
>     referrer from all requests.
> 7. is behind a proxy which strips the referrer from all requests.
> 8. visited the site programmatically (like, curl) without setting the
>     referrer header (searchbots!).
>
> Have you looked in various tools on the browser (developer tools on
> Chrome, Tamper on Firefox, Fiddler on IE) to see if the referer is
> being set?
>
> . . . just my two cents
> /mde/
>


Hi, Léa-

Rather than relying on REFERER, you might consider using different 
action attributes in example1.jsp and example2.jsp.  The targets could 
be minimal servlets that set a parameter and forward to do_example.

Another approach would be to use hidden input elements in your forms 
(e.g. <input type="hidden" name="formId" value="1">).

-Terence Bandoian


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message