Get the domain of the website requesting to access another website

Question

I have 2 different websites that need to be integrated. Let's name them, Web1 and Web2. I want to verify if the requesting Web1 is indeed the Web1 before allowing any access to Web2.

The Request.Url.Host will only get the domain of the current website. What I need is to verify the domain of Web1 inside the Web2 C# codes.

Currently, this is how I called the Web2 from Web1.

$("#btn").click(function() ( 
    window.location.href = "http:\\Web2.com\Test"
)}

Thanks

Answer 1

URL referrer and Origin header can be spoofed. So it's not reliable.

The only way I can see being able to come close to a reliable solution is to add in server-to-server communication to perform the hand-off between the two applications.

So in your click event, these things would happen:

1. The browser makes an AJAX call to Web1 to request a URL to Web2
2. Web1 makes an HTTP call (from the server) to Web2
3. Web2 returns a unique URL (for example, http:\\\\Web2.com\\FromWeb1\\8247983659 (or maybe with a GUID, whatever you want)
4. Web1 returns the unique URL to the browser
5. The browser redirects the user to the unique URL
6. Web2 verifies that the URL used is one that it generated and thus knows the user came from Web1

You'd still need some authentication in step 2 so that Web2 knows it's Web1 making the call, but at least that authentication is not being exposed to the browser.