Null Url Referrer going from HTTPS to HTTP

February 25, 2009 at 5:10 PMBen

Thought I would pass on a small issue I ran into recently when redirecting a user from an HTTPS page to an HTTP page.  When the person reached the HTTP page, Request.UrlReferrer was null.  There are browsers, add-ons, proxies, security suites and other entities that will strip the url referrer sent to a web server, but that was not the case in this instance as this was happening to me when testing a new site and didn't happen when I was redirected to the same page from an HTTP page.

It turned out this is a pretty standard security feature implemented by browsers to omit the referrer when a user is redirected from an HTTPS page to an HTTP page, or when a user clicks on a hyperlink taking them from an HTTPS page to an HTTP page.

This behavior does make sense considering sensitive information may be stored in query string parameters of the HTTPS page url.  I found this MS KB article explaining this behavior.  In the article, MS suggests some sites may even store credit card data in a url.  Credit card numbers in a url ... really??  I was thinking more along the lines of private session ids in the url.  I don't think I'd feel too comfortable shopping at a site if I saw my credit card number in the address bar ;-)

Posted in: Development

Tags: , ,