Adverts

Archives By Subject

Calendar

Mon Tue Wed Thu Fri Sat Sun
1 2 3 4 5 6 7
8 9 10 11 12 13 14
15 16 17 18 19 20 21
22 23 24 25 26 27 28
29 30 31        

Search

RSS


Tags

adobe apache book review cfimage coldfusion google google chrome hosting iis internet explorer java javascript jquery lucene photoshop regex ses urls software review sql injection svn trac

Subscribe

Enter your email address to subscribe to this blog.

Browser Bugs in IIS Logs

I spent several hours today wading through IIS access logs. Not the most fun part to my job, but sometimes necessary. During the course of it though, I found a subtle difference with the way clients (browsers) pass the information that goes into these logs. Hopefully it will be of use to someone else.

I would imagine that most developers are familiar with the CGI.HTTP_REFERER variable. It can be very useful for things like web stats and affiliate programmes, but I wouldn't trust it too much! I'm not certain how ColdFusion creates this variable, but I would imagine it takes it from the referer value passed in request headers by the browser (or other client). It's these headers that are used to generate the IIS access logs.

While I haven't done any experiments with ColdFusion yet, it's with the IIS access logs that I noticed the browser differences. While both FireFox and IE correctly pass the referer in headers for normal links, Internet Explorer leaves the referer blank for javascript links. An example link would be something like:

<a href="#" onclick="window.location.href='test.cfm'">click me</a>

Before I continue, I don't recommend using this type of link at all - it breaks all sorts of accessibility guidelines. I was maintaining a legacy application, and found this used as a crude hack.

I'm not sure if I would class this as a bug in IE, but it's certainly something we need to be aware of. In my case, I couldn't figure out how the user had accessed a secure page, without leaving a referer in the log - it took me a while before I realised a dodgy JavaScript link had been used.

In summary, this is another reason why you should take access logs with a large pinch of salt. You can only trust the data in them as much as you trust the clients passing the data.

You might also be interested in this blog entry on the using CGI.HTTP_REFERER with CFLOCATION: ColdFusion CFLocation Only Passes Referrer Of The Referring URL

Comments
James Netherton's Gravatar Firewall & security products can also prevent the referring URL from being sent (Norton for example) which might also explain it's absence in web logs. Some FireFox plugins can also disable it.
# Posted By James Netherton | 26/06/08 07:36
Adobe Certified Professional - Macromedia ColdFusion MX 7 Advanced Developer Powered By ColdFusion 8 aggregated by mxna aggregated by coldfusionBloggers