Say you have a legacy website running on an old code-base that offers certain functionality. The successor website is up and running, providing all the old functionality and more. For some time, there has been an HTML link on the old site pointing to the new one, for those users that care to click over.
Now, the legacy site is reaching its end of life, and you want to automatically redirect users to the new site, for example via a 301 or 302 redirect. However, when a user encounters this redirect, you want to also display a friendly message on the new site welcoming them and explaining why they are not seeing the old version.
When the user clicks an HTML link, the HTTP_REFERER header is populated, and the welcome message can be triggered via that value. However it appears that the same is not true when using 3XX redirect codes.
The top Google hit for this issue has this to say:
"HTTP 1.1 specification states it clearly: if a 3XX code is given, no
Referer value is passed. (eventualy, the URL that pointed to 3XX site)."
(http://www.usenet-forums.com/apache-web-server/37811-how-set-referer-redirect.html#post145986)
However I could not find this statement in a quick read through the spec (https://www.rfc-editor.org/rfc/rfc2616).
Can anyone suggest the proper way to achieve this functionality?
Note: This is not meant to be an all-encompassing solution. We understand that some clients don't even send the HTTP_REFERER header for privacy reasons, but for the sake of argument, let's ignore that use case.
First, This should be a 301, not a 302 redirect. Your redirection is permanent, so you want to indicate that. As to how to indicate the redirect, just add a parm to the url. Instead of redirecting to http://www.newsite.com redirect them to http://www.newsite.com?FromOldSite=Y
Could you just redirect them to a specific launch page? Like if try try to visit http://oldsite.com/desired/page, just send them to http://newsite.com/welcome?nextpage=/desired/page. The welcome page could show the message and then pass them over to the content. Alternatively, you could send them right to the new page with a ?show_welcome=true in the URL.
Not sure how you plan to redirect your users, but if you don't want to "ugly" up your URL, you might just set your own custom header when hitting the old site and then check for it at the new.
Related
I'm trying to have the HTML code check where a client came from so they can only access this page through a link and we will say this link is from Paypal after purchase and if they don't go through Paypal they will be redirected to the home page of my website, in this case, is home.com (not really).
My Code:
if(!isset($_SERVER['HTTP_REFERER'])){
<meta http-equiv="Refresh" content="0; url='https://bypassdetected!'" />
header('location:../index.php');
exit;
You would need to check if the contents of HTTP_REFERER includes 'paypal.com', although this is a dumb sort of check since it's easily spoofed and accomplishes little of value
Regarding the action your code then takes, you can't combine HTTP header location redirects with HTML redirects, it's one or the other, but if you do try to send both, the headers have to be set before any body content
Redirecting over to PayPal should be avoided in general. You should switch to a PayPal integration that does not use any redirects at all, such as this one: https://developer.paypal.com/demo/checkout/#/pattern/client -- then, your site always stays loaded in the background, which is a far better modern web experience
I have this question: is safe use an iframe to load the page where the customer will do the payment. For example paypal or DineroMail or the page that does the credit card payment.
Because My boss wants that the customer feels that never leaves the site so in my site I added an iframe (and inside this I load the url of the payment) but don't know if is correct and safe or no.
Thanks.
From a technical security point of view (Same Origin Policy), it is exactly as safe to open an iframe as it is to open a new tab.
From a UI point of view, opening an iframe in certain locations can deceive the user and you might be accused of trying to clickjack the user into making an inadvertent payment if you are not careful.
I cannot say anything about PayPal's own policy, but you should make sure they are okay with it.
I have been through this several times with many clients. A lot of it has to do with 1)he isnt comfortable with a customer leaving his site in fear the checkout wont occour or 2) its a pride thing that he wants clients to feel all the services can be performed in site.
One of the things that your boss needs to understand is that people like using paypal because they are trusted and its a familiar process to them. He needs to know that not only are people ok with being redirected to paypal, but they expect it. If I where to run into a site where they checked me out in an iFrame on paypal it would be a red flag for me. Why? Because with the redirect I can see the address bar. I know that Im at paypals site and I can see if its a secure connection.
If he is dead set on a customer never leaving a site. He needs to do something like paypal payments pro. This is probably the solution he really wants.
EDIT
I found your answer answer when dealing with the same issue myself last weekend and wanted to come back with something better!
Its called flex and its apart of the adaptive payments classic api. Which will take an additional application process which your boss may fee is well worth it.
https://developer.paypal.com/docs/classic/adaptive-payments/integration-guide/APIntro/
Head about 3/4 of the way down and youll see step by step instructions to do exactly what your loooking for. A secure paypal iframe.
Quick tip: If you have to incorporate it in your own processes simply do the following.
1) obtain your paykey after sending the request to paypal.
2) call in the javascript source as in the tutorial.
3) redirect the window manually as opposed to their created paypal button. aka https://www.paypal.com/webapps/adaptivepayment/flow/pay?paykey=YOURPAYKEY
another good source is : https://www.paypalobjects.com/webstatic/en_US/developer/docs/pdf/pp_adaptivepaymentsmobile.pdf
It is safe if Paypal allow it, but you have to be careful from a UI point of view.
If your site is loaded over http and you load the IFrame within your site, it appears to the user not to be secure even though the IFrame is loaded over https. This approach is also vulnerable to a MiTM attack as an attacker could intercept and change the IFrame URL to something like http://www.evil.com and nobody would be the wiser at the time of entering the card details.
If your site is loaded over https your customer has to trust you with their card details as they cannot be sure that the IFrame is actually pointing to the Paypal domain on https (https://www.paypal.com) and not your site. Yes they could right click and check the source, but this is a step too far for most users and technically an evil site could swap the IFrame for an evil version without the customer noticing.
My recommendation is to actually redirect to https://www.paypal.com because then it is shown in the address bar with a padlock and reassures users that they are giving their details to Paypal and nobody else.
I need to add context or the current state of my website to the URL of the page.. So that if a user copies and sends the URL to another user. The other user can see the exact state of the website that the sender was watching, i.e. the tab he was in,and the data he was viewing. I have seen similar things being implemented in other websites like facebook, gmail, etc but I don't know how to do that in my application. How should I approach this problem?
Use pushState and friends to modify the URL to one which your server can use to deliver a page that starts in the desired state.
I have a feedback page in my website. In my website's homepage, when someone clicks on 'Feedback', it will open a modal window to ask a human verification question. If the response is correct, i want to programatically open the url to my feedback page.
My concerns is:
The feedback page should not be accessible by directly entering the url,i.e., www.mysite\feedback.html. How can i prevent this from opening my feedback page?
I'm also aware that my anti-spamming effort isnt the best option, but for now i dont need a robust mechanism.
Any solution?
Thanks.
Why don't you just put the CAPTCHA on your feedback page?
If that's not an option you need to use sessions to store the "captcha passed" flag and check for it on the contact page (also in your server-side code). After successfully submitting the form you need to clear the flag so someone cannot spam manually after completing just a single captcha.
You should be able to access the Referrer header of the request in your web platform. You can check this value to see if the referrer is from a page you accept. If not, you can return a 403 or whatever response, and if so, you can return the actual page. You will need access to a server-side framework, such as PHP or ASP.NET. Note, however, that it is easy to create HTTP requests and spoof the Referrer header.
In my websites normally I use Ajax, so the address is always something like
www.xxx.com for all pages.
But now I read and search in google and I cant understand how is made this type of site:
https://welshare.com/login
https://welshare.com/signup
If I change the address bar to login.php or asp or html the page gives an error.
So my question is, how I can make something like that? is it htaccess?
what is the login? a new page? a module?
If you are using apache as your server, you'll want to look into mod_rewrite. IIS also has an extension for this called URL rewrite.
Edit
To elaborate on how it works: Once you have your rules set up, it will look at the requested URL (say, mysite.com/test) and then on the server side, actually send a request to mysite.com/index.php?page=test. Whatever the output of the request is will be sent back to the user's browser and they will have no idea that that's actually the page that was requested.
mod_rewrite is the way to go. For a very easy to use tutorial click the link.
What is does in a nutshell is take a URL like http://www.example.com/index.asp?page=login and with the right parameters, transforms it into http://www.example.com/login