Null Url Referrer going from HTTPS to HTTP

February 25, 2009 at 5:10 PMBen

Thought I would pass on a small issue I ran into recently when redirecting a user from an HTTPS page to an HTTP page.  When the person reached the HTTP page, Request.UrlReferrer was null.  There are browsers, add-ons, proxies, security suites and other entities that will strip the url referrer sent to a web server, but that was not the case in this instance as this was happening to me when testing a new site and didn't happen when I was redirected to the same page from an HTTP page.

It turned out this is a pretty standard security feature implemented by browsers to omit the referrer when a user is redirected from an HTTPS page to an HTTP page, or when a user clicks on a hyperlink taking them from an HTTPS page to an HTTP page.

This behavior does make sense considering sensitive information may be stored in query string parameters of the HTTPS page url.  I found this MS KB article explaining this behavior.  In the article, MS suggests some sites may even store credit card data in a url.  Credit card numbers in a url ... really??  I was thinking more along the lines of private session ids in the url.  I don't think I'd feel too comfortable shopping at a site if I saw my credit card number in the address bar ;-)

Posted in: Development

Tags: , ,

SSL Certificate for WWW and no WWW

February 1, 2009 at 12:14 PMBen

I was recently buying a SSL certificate and remembered being on a website where some HTTPS pages had a WWW host in the url and other HTTPS pages didn't have the WWW prefix.  I vaguely remember from when I last bought a SSL certificate, you would normally indicate the host name you are buying the SSL certificate for -- whether it be,,  And the SSL certificate would only be valid for that exact host.

There's also wildcard SSL certificates that cover all hosts.  These certificates are a lot more expensive.  Wildcard certs cover,,  Interestingly, it appears SSL certificates do not necessarily cover cases where you have no host -- i.e.   An example of this is the customer login page at the hosting company where I have this blog hosted.  If you examine the certificate, it looks like it uses a wildcard certificate as the common name is *  However, if you remove the WWW from the url, my browser (Firefox) warns of an invalid security certificate.  What a sour deal ... you spend the extra money for a wildcard certificate and it doesn't even work when there's no host name!  I'd suspect that may not be the case with all wildcard certificates ... it probably depends on who you buy the certificate from.

In my case, I didn't need a wildcard security certificate, but I was hoping I could cover both and  One option would be to buy two separate SSL certs, one for and one for  Fortunately a few SSL certificate sellers cover both WWW and no host in a single certificate as a standard feature.  GoDaddy was one of the two places I found that offered this.  I didn't search around that much though.  GoDaddy's SSL certificate is dirt cheap at just $30.  What a great deal considering how expensive SSL certs once were.

GoDaddy briefly explains this feature in this help topic.  What I wasn't sure about was when creating the CSR that you submit to the SSL certificate seller, I wasn't sure if I should put or for the common name (CN) field in the CSR.  The website I had previously seen where HTTPS worked with and without WWW was using a GoDaddy SSL cert and the common name on the cert was just without the WWW.  And then I ran across this post where the blogger discussed this feature of the GoDaddy SSL certificates, and towards the end of his post, he says,

Therefore, to summarize the solutions, I can say that you can use a wildcard certificate or issue two separate certificates that both cost money and may not be a good option for many cases. You can also look for a SSL certificate issuer that automatically includes the base domain name when you generate one for the domain name with "WWW."

This last part sounds like you would generate a SSL certificate with as the common name -- not  But, when I examined his SSL certificate, the common name doesn't have the WWW!  Anyhow, I decided to include WWW in my common name field, sent the CSR to GoDaddy, received the certificate, installed it, and the good news is my site works both with and without the WWW.  Looking at the certificate fields when examining these SSL certificates from GoDaddy, of the ones I've seen, they all have a field named "Certificate Subject Alt Name" where the field value is:

Not Critical
DNS Name:
DNS Name:

This may be the field that tells the browser the certificate is valid with or without the WWW.  In summary, it appears you can probably put either or in the common name (CN) field of the CSR when purchasing the SSL certificate from GoDaddy.  I included the WWW in my common name, and the certificate is valid with and without the WWW host.

Posted in: General

Tags: ,