There is a well-known advice not to give a direct link to outer resources if there is a chance that URL sessions are used. The session ID would just leak in the Referer header.
The well-known alternative is to use a jump page: you publish a link to yourself (without a session in it), and then redirect the user out. I've suddenly found out (never thought about that before) that when you use the standard HTTP redirection mechanism, the original Referer is retained. I mean, if you're on the page http://site1.com/a and click on the link to http://site1.com/b which then redirects you to http://site2.com/, the Referer which site2 receives is http://site1.com/a.
However, if you use <meta equiv="refresh" content="0;http://site2.com">, Referer is not sent. Strange, I could not find that anywhere in the web...
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment