Ok the reason I've had to do it this way is because the application has 3
tiers. Cart -> Order Form(which takes credit card details so has to be
secure) -> store order(in database, also secure) -> confirm page(which has
to be unsecure because the credit card auth. site only allows connections
from non-SSL. Yes the credit card details are taken twice! customer needs
them himself for doing address checking etc as well as the payment). So
basically I was posting an order id from the store order page to the
confirm page in a querystring because a POST would bring up the "posting
2 different URL's. Couldn't use sessions, 2 different URL's again.
I did eventually solve it fairly simply just by taking the querystring
into the confirm page and posting the data back in an auto-submitting
form. Problem solved.
> The Referer is sent by the browser - you can't change this.
Have you thought of using cookies instead to store the querystring data
you are passing?
Link to a page on your server, get the necessary querystring information,
store it in a database, Response.Redirect() to the secure site
...there are probably other options (eg using the MSHTTPXML component to
simulate the page request by the client), but we probably need more
information on why/how you have things setup
From: "Paul Rogers" <progers@f...>
Subject: [proasp_howto] Replacing referer header in next page
: I have an unsecure page that is linked to from a secure page so I pass
: minor information via a querystring(this is absolutely vital by the way).
: This page then posts fields to a credit card authorizing company's
: The problem is this company, in it's infinite wisdom, have a fixed
: URL in their configuration. Say http://www.website.com/thispage.asp is
: in the system as the referer to allow access to the payment page. The
: referer I'm posting to the site because of the querysting is
: http://www.website.com/thispage.asp?qs=1&qs=2&qs=3&qs=4 which the payment
: site is rejecting. Is there anyway of altering the REFERER header(using
: Response.AddHeader maybe?) so only http://www.website.com/thispage.asp
: gets passed to the payment page as a referer even if the page i'm linking
: from has a querystring?