Thank you everyone for your response. Mr. Dean, I was waiting for your response and I was glad to see your input. ;-)
Well, guys, I found one solution to this problem. What I did is, went to IIS 6, website, properties, Home Directory and under Resource, I selected A Redirection to a URL and in Redirect to field, I entered my new url appended with $S and $Q. For example, www.abc.com$S$Q. $S as per IIS docs, Passes the matched suffix of the requested URL. The matched suffix is the portion of the original URL that remains after the redirected URL is substituted. $Q Passes both the question mark (?) and the parameters from the original URL. so now, www.xyz.com/subapp/home.cfm takes me to www.abc.com/subapp/home.cfmand lets say if i have www.xyz.com/subapp/home.cfm?var1=yes then its www.abc.com/subapp/home.cfm?var1=yes . The caveat here to note is that, if I did not append $Q, the var1 was not being passed to the new url. So adding $Q fixed that issue. Last thing, under *The client will be sent to* option, I selected The exact URL entered above. I hope this information is helpful. So far this is working great. I will post back if I hear of any issues from the client. Thanks again, -- <Ajas Mohammed /> http://ajashadi.blogspot.com No matter what, find a way. Because thats what winners do. You can't improve what you don't measure. Quality is never an accident; it is always the result of high intention, sincere effort, intelligent direction and skillful execution; it represents the wise choice of many alternatives. "Live as if you were to die tomorrow. Learn as if you were to live forever." On 4/25/08, Mike Staver <[EMAIL PROTECTED]> wrote: > > I want to make sure I'm understanding this right - according to wikipedia, > you should URL encode cflocation values when they come from variables? > More specifically, a variable like cgi.HTTP_HOST? It's odd to me that > ColdFusion doesn't automatically verify something like that first. From > the article, it sounds like PHP already does some validation. > > > This code is insecure and subject to HTTP Response Splitting. You > > need to validate the various CGI variables before responding with a > > 302 redirect. Or, preferably, you use DNS to resolve both URLs to the > > same server. > > > > http://en.wikipedia.org/wiki/HTTP_response_splitting > > > > -dhs > > > > Dean H. Saxe, CISSP, CEH > > [EMAIL PROTECTED] > > "Dissent is the purest form of patriotism." > > --Thomas Jefferson > > > > > > > > On Apr 25, 2008, at 9:53 AM, Ajas Mohammed wrote: > > > >> Hi, > >> > >> I have a client who has url say www.xyz.com. They want a new url > >> www.abc.com > >> so that when user enters www.xyz.com, the user should see > >> www.abc.com in his address bar of browser. Basically an alias/ > >> redirection with address bar showing the new url. I could have done > >> redirection by dns names/url redirection at website level but > >> problem is I have a subfolder application i.e. www.xyz.com/subapp. > >> > >> Now if I do dns/url redirection, and user tries to access subfolder > >> application with this url, www.xyz.com/subapp/home.cfm, it takes the > >> user automatically to www.abc.com/home.cfm i.e. the main application > >> without the subfolder application, and I dont want that. It should > >> take user to www.abc.com/subfolder/home.cfm. > >> > >> So to avoid this redirection at the website level, I added this code > >> in Application.cfm > >> > >> Code: > >> <!-- Relocate if not a secure connection --> > >> <cfif cgi.SERVER_PORT is "80" and CGI.SERVER_PORT_SECURE is "0"> > >> > >> <!---replace xyz with abc ---> > >> <cfset x = "https:// > >> #Replace(cgi.HTTP_HOST,"xyz","abc")##cgi.PATH_INFO#"> > >> > >> <cfif cgi.query_string is ""> > >> <cfset y = ""> > >> <cfelse> > >> <cfset y = "?#cgi.query_string#"> > >> </cfif> > >> > >> <cflocation url="#x##y#"><cfabort> > >> > >> <cfelseif cgi.HTTP_HOST contains "xyz"> > >> > >> <!---replace xyz with abc---> > >> <cfset x = "https:// > >> #Replace(cgi.HTTP_HOST,"xyz","abc")##cgi.PATH_INFO#"> > >> > >> <cfif cgi.query_string is ""> > >> <cfset y = ""> > >> <cfelse> > >> <cfset y = "?#cgi.query_string#"> > >> </cfif> > >> > >> <cflocation url="#x##y#"><cfabort> > >> > >> </cfif> > >> My question to you guys is that > >> > >> 1. is this a good practice ? > >> > >> 2. do you see any security issues? > >> > >> 3. any performance issues? > >> > >> 4. does it ring any bells? > >> > >> 5. anything obvious iam missing here or do you have a better solution? > >> > >> Thanks, > >> > >> -- > >> <Ajas Mohammed /> > >> http://ajashadi.blogspot.com > >> No matter what, find a way. Because thats what winners do. > >> You can't improve what you don't measure. > >> Quality is never an accident; it is always the result of high > >> intention, sincere effort, intelligent direction and skillful > >> execution; it represents the wise choice of many alternatives. > >> "Live as if you were to die tomorrow. Learn as if you were to live > >> forever." > >> ------------------------------------------------------------- > >> Annual Sponsor - Figleaf Software > >> > >> To unsubscribe from this list, manage your profile @ > >> http://www.acfug.org?fa=login.edituserform > >> > >> For more info, see http://www.acfug.org/mailinglists > >> Archive @ http://www.mail-archive.com/discussion%40acfug.org/ > >> List hosted by FusionLink > >> ------------------------------------------------------------- > > > > > > > > ------------------------------------------------------------- > Annual Sponsor FigLeaf Software - http://www.figleaf.com > > To unsubscribe from this list, manage your profile @ > http://www.acfug.org?fa=login.edituserform > > For more info, see http://www.acfug.org/mailinglists > Archive @ http://www.mail-archive.com/discussion%40acfug.org/ > List hosted by http://www.fusionlink.com > ------------------------------------------------------------- > > > > ------------------------------------------------------------- Annual Sponsor FigLeaf Software - http://www.figleaf.com To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -------------------------------------------------------------
