On 10/31/2014 11:18 AM, Mark Eggers wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 10/31/2014 5:06 AM, Léa Massiot wrote:
Hello and thank you for reading my post.
I'm trying to make a webapp work with HTTPS. It was working
properly with HTTP. Below is the problem I have.
Inside a servlet, in its "doPost()" method, to check whether the
"incoming JSP" is "example1.jsp" or "example2.jsp", I am using the
following piece of code:
-----------------------------------------------------------
s_referer = request.getHeader("referer");
if(s_referer.contains("example1.jsp") == true) { b_jspReferer1 =
true; } if(s_referer.contains("example2.jsp") == true) {
b_jspReferer2 = true; }
-----------------------------------------------------------
In "example1.jsp" and "example2.jsp" there is a "<form>" element
which "action" attribute is set to "do_example":
----------------------------------------------------------- <form
method="post" action="do_example"> [...] </form>
-----------------------------------------------------------
Now that I'm using HTTPS, "s_referer" is always equal to
"do_example" in the servlet. Before, it used to be either
"example1.jsp" in case the "incoming" JSP was "example1.jsp" and
"example2.jsp" in case the "incoming" JSP was "example2.jsp".
I don't know how to correct my code to be able to discriminate
between the two JSPs. Can you please help me?
I apologize in advance for the barbaric expression "incoming JSP".
I hope my point is understandable despite unfortunate expression.
Best regards.
-- View this message in context:
http://tomcat.10.x6.nabble.com/From-HTTP-to-HTTPS-request-getHeader-referer-tp5024782.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
Times the referer will be empty:
1. entered the site URL in browser address bar itself.
2. visited the site by a browser-maintained bookmark.
3. visited the site as first page in the window/tab.
4. switched from a https URL to a http URL.
5. switched from a https URL to a different https URL.
6. has security software installed (antivirus/firewall/etc) which
strips the
referrer from all requests.
7. is behind a proxy which strips the referrer from all requests.
8. visited the site programmatically (like, curl) without setting the
referrer header (searchbots!).
Have you looked in various tools on the browser (developer tools on
Chrome, Tamper on Firefox, Fiddler on IE) to see if the referer is
being set?
. . . just my two cents
/mde/
Hi, Léa-
Rather than relying on REFERER, you might consider using different
action attributes in example1.jsp and example2.jsp. The targets could
be minimal servlets that set a parameter and forward to do_example.
Another approach would be to use hidden input elements in your forms
(e.g. <input type="hidden" name="formId" value="1">).
-Terence Bandoian
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org