Why would a site respond with an HTTP 302 (redirect) and include HTML in the payload. Check out godaddy.com. You will need an account to log in. When you log in you will see in an HTTP trace (I use firebug), a 302 returned with the location: header as expected, however the payload includes the complete HTML page. Next, as expected, you see the URL from the location header fetched with the same HTML payload. Why would they do that?
I don't know anythign about GoDaddy but it may be a way to somewhat post information back to their server but not force your browser to do an "auto form post". I'm working with ADFS currently and with that security (and many others) the authentication authority sends back a 200 with html of a form, which when loaded immediately posts that form to your server.
I'm currently experimenting with sending back a 302 with the payload that redirects back to the server instead. This prevents a flash of white as that auto-post is taking place.
It's just a guess :)
Related
I try to Login at a website with a HTTP POST. It doesn´t work, I get the status Code 200 instead of 303. Which mistakes could be the reason for that?
The typical explanation is that the website is designed to respond with the login page, if the authentication failed. A 200 can indicate that page content is available and returned successfully, while the page content indicates that the login failed. The most likely reason for this is browser compatibility, whereby some non-standard browsers might react differently to non-200 responses.
In a situation where a browser has to be redirected back to a http site from a https site, can this be done using a 302 (or 303) redirect without causing any security alerts from the browser?
The redirect target could be a different domain to the system that was providing the https content, so the browser may of been accessing pages from https://server.domain1.com/ and now needs to be redirected to http://different.domain2.com/
The redirect may also be in response to a form post, but without re-posting the data. Will browsers bring up a security warning as a result of the 302 redirect in this instance? Does 303 help with any security alerts? I'd like to avoid displaying what would essentially be a blank page with only a meta-refresh or javascript function to trigger the redirection.
I've been trying to find a list of browsers and their responses to both 302 and 303 in this situation, but can't find any such list.
A normal redirect http to https should not trigger a warning (expect in iframe for example) but a POST from an https page to an http page may trigger a warning.
And in any case, you should think about the safety of your users and use https rather than trying to avoid legitimate warnings.
May be this is an awkward question due to my lack of knowledge and I don't know which topic I should search to know about this, but I kind of hope/wish there was a solution.
What I mean is there any way I could send http requests to multiple domains ?
For eg: If I send an http request for a page www.facebook.com/stackoverflow.
I want a simple info that this link is clicked by someone by sending a message to my domain also.The URL can be changed to anything with primary URL still as main source.
What I mean plainly is
www.facebook.com/stackoverflow+{additional code to some way a request to my website also }
When you send a request for http://www.facebook.com/stackoverflow, it requires making a TCP connection to www.facebook.com's server and then sending an HTTP request for the /stackoverflow resource on that server. You can't make Facebook forward the same request to another server.
If you want the link to request your domain, you have to declare your domain as the target of the link. You can specify another URL as an extra parameter, so your domain can use an HTTP redirect to forward the client to that URL when ready. For instance, search engines do this all the time to track the links that users click on in search results.
For example:
http://www.example.com/doSomething?goto=http%3A%2F%2Fwww.facebook.com%2Fstackoverflow
The client would connect to the www.example.com server and send a request for /doSomething?goto=http%3A%2F%2Fwww.facebook.com%2Fstackoverflow. A script located at /doSomething can do whatever it needs to do, and then redirect the client to the URL in the goto parameter (http://www.facebook.com/stackoverflow).
I'm trying to understand this properly.
I have a simple web form which, in the page load, I have a bit of code that creates a HttpWebRequest object. This then performs a Http POST passing some info in the body.
The response passes back a 302 redirect just fine. How would I redirect to the location page from the response in the page load? If I did a Response.Redirect would that being doing a HTTP GET again?
In addition, some of the info I pass in the post body will determine if I can even access the page that it wants to redirect. What's stopping someone getting the location URL and just pasting that in the browser and essentially doing a HTTP GET as well?
It is a little confusing and I may not be grasping it correctly and would love some insight.
How would I redirect to the location page from the response in the page load?
Sow the code that makes the request. You'll have to read the redirect location from the response and see MSDN: How to: Redirect Users to Another Page.
If I did a response.redirect would that being doing a get again?
Yes.
Whats stopping someone getting the location URL and just pasting that in the browser and essentially doing a get as well?
If you mean the "location" header from the 302 response to the POST you make in your Page_Load: your server will perform this POST request, not the client's browser. So they won't see this request or the URL it points to.
However, if you redirect them to the location the 302 response to the POST is pointing to, then their browser will go there anyway.
When Spring MVC does a redirect, should the page redirected to be able to process embedded src attributes that hit a server to fetch an image, as if loading a page for the first time? It works correctly when accessed via a link on a web page. Is redirect different than loading a new page via a link? My understanding was that redirect should load a page completely, resolving all references, similar to the way it does when navigating to it via a link on a web page. Is my understanding incorrect?
An HTTP response known as a redirect looks like this
HTTP/1.1 302 Found
Location: http://www.yourhost.com/some-page
Connection: close
That's it. When your browser receives this response, it will send a new HTTP GET request to the URI in the Location header.
Your error is somewhere else.