Reputation: 2796
What can I use in Place of URL Referrer check to know where the request is coming from on my domain?
I have to implement a single signon kind of solution on my website. Let's say my website is www.myweb.com and I want to allow the users to use this site who only come from a site www.sourceweb.com.
I thought URL Referrer would do but in IE may comes null.
Please suggest me some alternate solution.
Thanks,
Gaurav
Upvotes: 2
Views: 2377
Answers (4)
Reputation: 24385
If you have access to www.sourceweb.com and can modify the source then a possible solution would be:
- Create a webservice on www.myweb.com.
- Create a link on www.sourceweb.com
- When the link is clicked call the webservice to retrieve a unique id.
- Redirect the user to www.myweb.com and provide the unique id in the querystring.
- On www.myweb.com confirm that the unique id is valid and remove it/mark it as used.
Upvotes: 2
Reputation: 21742
The very short answer. Don't implement this yourself. Security solutions should not be implemented but bought. The only exception being if you actually develops security solutions for other to buy of course.
Choose one of many available SSO solutions and go with that. We use Microsofts ADFS, though not perfect it gets the job done for us with very little maintance and the only real hazle is for our applications hosted on non-windows platforms like AIX.
There so many chance of screwing things up when you try to implement your own security solutions. If you disagree than just remember than anual contests are held to break the security systems of companies such as Apple,Microsoft,Mozilla and Goggle and most of the years some one takes home the price for breaking each of them.
Upvotes: 0
Reputation: 4158
There are many ways to skin a cat, one way in your case would be to set a cookie on the 2nd site, using a pixel gif (1x1 pixel small picture) embedded on a page of the main site. The 2nd site then can later allow access only when the cookie is already set.
To make this secure, you have to add a token to the pixel gif URL, containing a timestamp and signed using a HMAC or something similar establishing a shared secret with the other site. Then you only set the cookie when the timestamp is recent (less than a minute ago) and properly signed.
Upvotes: 2
Reputation: 498972
URL_REFERER is your best bet.
Keep in mind that like most HTTP headers, it is easy to forge and does not have to be provided.
Upvotes: 0
Related Questions
- How can I get Url Referrer in ASP.NET Core MVC?
- How do I get the referrer URL in an ASP.NET MVC action?
- Getting referrer in asp net mvc
- Determine if a given url (from a string) is from my domain or not
- Getting the referrer's web server name
- How to know which domain send request using JS to my C# action
- Get the url of requesting domain or service
- Checking Request.ServerVariables["HTTP_REFERER"] on every request
- checking from which site i am redirected to my site in mvc .net
- How to tell where the user is coming from?