On Fri, 20 Aug 1999, Byte Code wrote:
> It was more of a security issue.
>
> Any body in the world can make a request to Host a with a
> "redirectedfrom in the url , and forge the request ! Thats hardly the
> solution !!
If security is such a concern, you can take some simple cryptographic
cautions -
make a crytographic authString
authString = md5sum( "HostA" + "a secret password" + "seed" )
And obtain RedirectedFrom's value by URL-encoding:
"HostA" + ":" + "seed" : "authString"
That resembles HTTP Digest Authentication protocol.
If you-re afraid evil hackers will re-use an older request you can
think at "seed" as a long that allways increment. And let
HostB remember the last seed received from HostA, and accept only seeds
greater than the last one. So, a request once submitted, can not be
"reused".
Even better than inventing a new security scheme is to try SSL.. ;-)
Regards,
Cezar.
>
> If Host A is referenced by a direct request and not a click on the page
> the Referer header returns null.
That's right.
>
> -Sam
>
>
>
>
>
> Cezar Totth wrote:
> >
> > Hi,
> >
> > On Fri, 20 Aug 1999, Srinivasan S (Systems Engineering Group) wrote:
> >
> > > sorry for this query how to add a query parameter with a URL
> > >
> > Well, its URL should look like:
> > http://hostBaddress:8008/servlet/ServletName?RedirectedFrom=HostA
> >
> > add to the usual URL
> > http://hostBaddress:8008/servlet/ServletName
> > the "?RedirectedFrom=HostA" ; You can pass multiple query parameters
> > by concatenating them with "&" (and) character:
> >
> > ?Param1Name=param1Value&Param2Name=param2Value
> > ^
> >
> > However you need to read carefully JSDK's docs;
> > the values for the parameters should be URL-encoded, before "packing" them
> > in a query string.
> >
> > regards,
> > Cezar.
> >
> > Concept, n.:
> > Any "idea" for which an outside consultant billed you more than
> > $25,000.
> >
> > >
> > > #-----------------------------------------------------------------------#
> > > # #
> > > # "ARISE AWAKE and stop not till the GOAL is reached" #
> > > # #
> > > # [EMAIL PROTECTED] #
> > > #-----------------------------------------------------------------------#
> > >
> > > On Fri, 20 Aug 1999, Cezar Totth wrote:
> > >
> > > > Hi,
> > > >
> > > > The two hosts, A and B can also establish a convention by adding
> > > > a query parameter called "RedirectedFrom" :
> > > >
> > > > HostA adds an "?RedirectedFrom=HostA" to the URL, HostB does the similar
> > > > thing with care on building the redirected URL to preserve existing
> > > > query parameters and to add/change only "RedirectedFrom=..."
> > > > parameter.
> > > >
> > > > So both servlets can search for parameter "RedirectedFrom" to see
> > > > if current request isnt in fact an redirect, and if it is, who did
> > > > the redirect.
> > > >
> > > > The "Referer" header may be there or not, depending on the browser.
> > > >
> > > > Cezar.
> > > >
> > > > On Thu, 19 Aug 1999, Craig R. McClanahan wrote:
> > > >
> > > > > Byte Code wrote:
> > > > >
> > > > > > Hi.
> > > > > >
> > > > > > Here is the scenario.
> > > > > >
> > > > > > Client send a browser requst to Host A
> > > > > >
> > > > > > Host A receives the request and redirects to Host B
> > > > > > Host B does some work and redirects back to Host A
> > > > > >
> > > > > > How do we determine now on host A that the request came from Host B???
> > > > > >
> > > > > > If both the servers do a response.sendRedirect() then a getRemoteHost()
> > > > > > and getRemoteAddress() always return the host and IP if the "originator"
> > > > > > of the request. AKA the browser.
> > > > > >
> > > > > > IS there anyother way to determine on A that the request actually came
> > > > > > from B?
> > > > > > ( after redir )
> > > > > >
> > > > >
> > > > > The problem is that the request really did come from the client in both
> > > > > cases. That's the way that redirects work:
> > > > >
> > > > > * Client calls Host A (remote host is Client)
> > > > >
> > > > > * Host A sends "redirect" back to Client
> > > > >
> > > > > * Client calls Host B (remote host is still Client)
> > > > >
> > > > > However, the client browser might include a "Referer" header to host B that
> > > > > said this request was "referred by" host A. Try looking for that (with a
> > > > > request.getHeader("Referer") call).
> > > > >
> > > > >
> > > > > > RFC 2109 and RFC 2068 arent really explicit on this..Any ideas people
> > > > > >
> > > > > > -Sam
> > > > > >
> > > > >
> > > > > Alternatively, you could have Host A make the request itself to Host B
>(acting
> > > > > like a proxy) and return the results, instead of doing a redirect. You could
> > > > > use a URLConnection for this. Then, Host B would see Host A as the remote
> > > > > host in the request, instead of Client.
> > > > >
> > > > > Craig McClanahan
> > > > >
> > > > > ___________________________________________________________________________
> > > > > To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
> > > > > of the message "signoff SERVLET-INTEREST".
> > > > >
> > > > > Archives: http://archives.java.sun.com/archives/servlet-interest.html
> > > > > Resources: http://java.sun.com/products/servlet/external-resources.html
> > > > > LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
> > > > >
> > > >
> > > > ___________________________________________________________________________
> > > > To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
> > > > of the message "signoff SERVLET-INTEREST".
> > > >
> > > > Archives: http://archives.java.sun.com/archives/servlet-interest.html
> > > > Resources: http://java.sun.com/products/servlet/external-resources.html
> > > > LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
> > > >
> > >
> > > ___________________________________________________________________________
> > > To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
> > > of the message "signoff SERVLET-INTEREST".
> > >
> > > Archives: http://archives.java.sun.com/archives/servlet-interest.html
> > > Resources: http://java.sun.com/products/servlet/external-resources.html
> > > LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
> > >
> >
> > ___________________________________________________________________________
> > To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
> > of the message "signoff SERVLET-INTEREST".
> >
> > Archives: http://archives.java.sun.com/archives/servlet-interest.html
> > Resources: http://java.sun.com/products/servlet/external-resources.html
> > LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
>
> ___________________________________________________________________________
> To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
> of the message "signoff SERVLET-INTEREST".
>
> Archives: http://archives.java.sun.com/archives/servlet-interest.html
> Resources: http://java.sun.com/products/servlet/external-resources.html
> LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
>
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
