Server-side technologies, including server-side scripting languages and server configuration files with URLs or URL patterns for redirects.
This technique relates to:
The objective of this technique is to avoid confusion that may be caused
when two new pages are loaded in quick succession because one page (the one
requested by the user) redirects to another. Some user agents support the
use of the HTML meta
element to redirect the user to another page
after a specified number of seconds. This makes a page inaccessible to some
users, especially users with screen readers. Server-side technologies
provide methods to implement redirects in a way that does not confuse users.
A server-side script or configuration file can cause the server to send an
appropriate HTTP response with a status code in the 3xx range and a Location
header with another URL. When the browser receives this response, the location
bar changes and the browser makes a request with the new URL.
In Java Servlets or JavaServer Pages (JSP), developers can use
HttpServletResponse.sendRedirect(String url)
.
Example Code:
…
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
…
response.sendRedirect("/newUserLogin.do");
}
This sends a response with a 302 status code ("Found") and a
Location header with the new URL to the user agent. It is also
possible to set another status code with
response.sendError(int code, String message)
with
one of the constants defined in the interface
javax.servlet.http.HttpServletResponse as status code.
Example Code:
…
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
…
response.sendError(response.SC_MOVED_PERMANENTLY, "/newUserLogin.do");
}
If an application uses HttpServletResponse.encodeURL(String
url)
for URL rewriting because the application depends on
sessions, the method
HttpServletResponse.encodeRedirectURL(String url)
should be used instead of
HttpServletResponse.sendRedirect(String url)
. It is
also possible to rewrite a URL with
HttpServletResponse.encodeURL(String url)
and then
pass this URL to HttpServletResponse.sendRedirect(String
url)
.
In Active Server Page (ASP) with VBScript, developers can use
Response.Redirect
.
Example Code:
Response.Redirect "newUserLogin.asp"
or
Example Code:
Response.Redirect("newUserLogin.asp")
The code below is a more complete example with a specific HTTP status code.
Example Code:
Response.Clear
Response.Status = 301
Response.AddHeader "Location", "newUserLogin.asp"
Response.Flush
Response.End
In PHP, developers can send a raw HTTP header with the
header
method. The code below sends a 301 status code
and a new location. If the status is not explicitly set, the
redirect response sends an HTTP status code 302.
Example Code:
<?php
header("HTTP/1.1 301 Moved Permanently);
header("Location: http://www.example.com/newUserLogin.php");
?>
Developers can configure the Apache Web server to handle redirects, as in the following example.
Example Code:
redirect 301 /oldUserLogin.jsp http://www.example.com/newUserLogin.do
Resources are for information purposes only, no endorsement implied.
Use standard redirects: do not break the back button! (W3C QA Tip).
HTTP 301 Permanent Redirection Techniques by Shailesh N. Humbad.
Interface javax.servlet.http.HttpServletResponse in the Java Servlets 2.3 API documentation.
header in the PHP Manual.
Apache Module mod_alias in the Apache HTTP Server Version 2.2 Documentation describes how redirects can be specified in Apache 2.2.
Module mod_alias in the Apache HTTP Server Version 1.3 Documentation describes how redirects can be specified in Apache 1.3.
(none currently listed)
Find each link or programmatic reference to another page or Web page.
For each link or programmatic reference to a URI in the set of Web pages being evaluated, check if the referenced Web page contains code (e.g., meta element or script) that causes a client-side redirect.
For each link or programmatic reference to a URI in the set of Web pages being evaluated, check if the referenced URI does not cause a redirect OR causes a server-side redirect without a time-out.
Step 2 is false AND step 3 is true.