Develop Reference

Does RedirectToAction pose a security risk?

I have an HTTPS post coming in via a secure form. Without going into lengthy explanation: I need to call an action within the same controller that accepts two tokens passed as parameters. When I run Fiddler, I see that that method is being called with the parameters in the URL. My question is: Does this pose a security risk? Is there a more secure way of redirecting within the same controller?

Yes, it poses a security risk, but it is easily mitigated by simply validating that the urls you are redirecting to are within the same domain as your source destination.
In fact, this is on the OWASP top 10.
A10 - Unvalidated Redirects and Forwards
EDIT:
I just realized that I missed the "ToAction" part of the question, so no.. It's not really possible to redirect outside of the site with RedirectToAction, so there isn't a worry for that. However, if you are using direct user input to feed into your RedirectToAction (and that includes accepting post data that you generate in a different page) then it's possible that an attacker could redirect to a method you did not anticipate. However, this is no different from a user simply trying random URL's and hitting one, or knowing a url and going to it manually. You need to have authorization in place to prevent access to URL's that the user does not have authorization to view.

If the original Action is accessed via HTTPS then RedirectToAction will redirect to a relative URL on the same domain using the same protocol.
So if your original page is
https://www.example.com/Foo/Bar
and this redirects to the FooBar action with some route parameters:
https://www.example.com/Foo/FooBar/1/2/3
an attacker cannot read the parameters 1/2/3 nor the rest of the URL.
However, the things you should bear in mind are:
The URL parameters will be logged by default by the browser (history), your server, by corporate proxy servers and possibly by other devices on your network by default.
If the user follows any links from your page to other https URLs, the referer HTTP header will contain your page address including parameters. Modern browsers will not send the referer header with http links though.
If there are any other https resources on your page this will cause the browser to send the referer header with the request.
For these reasons, if your parameters (1/2/3) are private, then you may wish to POST this data to the target page rather than use RedirectToAction (which results in a GET).
Note that you should be validating that the current user has access to the resources that 1/2/3 refers to (e.g. if the parameters were an order ID, you should check that the user identified by their auth cookies allow them to see the order referenced). Keeping 1/2/3 private are only beneficial if the parameters are themselves sensitive (e.g. a social security number).
Note that the OWASP Top 10 vulnerability, "A10 - Unvalidated Redirects and Forwards" does not apply here as RedirectToAction can only redirect to another action. If the other action redirects to a user set URL, then the vulnerability would lie there instead.

Http redirect to Https and SEO with asp.net mvc

I am wondering if I should keep the GET pages off SSL, while the POST of that same URL on SSL? I am reading issues with doing redirects of required pages that need SSL with SEO. ASP.NET MVC has an attribute that however does a 302 redirect instead of a 301. Is there a best practice in doing this with SEO. I have pages such as Login, Register, an Account page.

Typically, in terms of SEO, the principles don't apply to forms as the spider doesn't try to complete the forms, so the redirects from these pages doesn't affect them. It is just static links etc that they follow.
The main thing to worry about with SEO on a password protected site is ensuring that paid/private content doesn't end up in the search engine etc etc.
/* edit */
In terms of the redirect, I wouldn't use a flag on the controller to action this. If a site must be viewed via the https protocol, then I would set the Require SSL property on the directory in IIS and handle the 403.4 error specifically to issue a permanent redirect to the place the person was trying to access.
This will ensure any static pages that are accessed are pulled through the https protocol too.
Si

How to keep Google from indexing the Session ID in the URL?

One of my sites is for old mobile phones that don't accept cookies so it uses a URL-based Session ID.
However, Google is indexing the Session ID, so when my site is searched on Google, all the results come up with a specific Session ID.
On most occasions, that Session ID is no longer valid by the time a guest clicks on it, but I've had at least one case where a guest clicked on a link from Google and it actually logged them into someone else's account, which is obviously a huge security flaw.
So how can I keep Google from indexing the Session ID in my URL's? In case it helps, the Session ID has always been set to "Representative URL" in Google's Webmaster Tools.

You can do this by placing a robots.txt file in your root web directory to tell Googlebot and all other crawlers not to crawl URLs with that attribute.
Here is an example:
Lets say the URL you want to block is in the form of:
http://www.mywebsite.com/page.html?id=1234
The robots.txt syntax to block URLs with the id attribute is:
User-agent: *
Disallow: /*id
You can find out more about robots.txt at http://www.robotstxt.org
Read more about this at http://www.seochat.com/c/a/Search-Engine-Optimization-Help/Preventing-Duplicate-Content-on-an-ECommerce-Site-from-Session-IDs/1/

Check this out, https://developers.google.com/search/docs/advanced/crawling/consolidate-duplicate-urls, you can set canonical urls and google-bot will use this url to crawl your webpage, this can also solve duplicate url issues for the same webpage.

How to Determine Where Your Visitors Come From Except Referer

I just stumble this adwords click:
http://www.google.com/aclk?sa=L&ai=XXX&sig=XXX&ved=XXX&adurl=http://example.com
It is supposed to redirect to example.com.
However, If you click on that link, it will redirect you to another site which is not http://example.com.
I think there is something fishy on that example.com.
That site can tell where its visitors come from and display different content for different visitors.
I thought it was the Referer, then I disable the referer in my browser but that site still works.
Anyone know why how to Determine Where Your Visitors Come From Except Referer?

Keep in mind that those clicks "bounce" (ie. redirect) through Google before heading to example.com.
Depending on the circumstance, Google can add additional query string values to the landing page URL during the redirect. Meaning that clickthroughs won't actually land on "http://example.com", but instead something like "http://example.com?gclid=1234567".
In particular, the gclid value is appended to the landing page URL as a way for Google to pass data between Google AdWords and Google Analytics.
So example.com could be looking for a gclid value in order to identify traffic arriving from AdWords. This is independent of the referrer.

The Referrer is the only thing that will do this, unless by "That site can tell where its visitors come from" you are talking about Geo-location....
Note: Referrers are not the most reliable thing in the world. They can be spoofed

Missing HTTP_REFERER after redirect

I am trying to track the url that refered my website. One way is using a custom affiliate url which will do a redirect (302) to my site. I want to track where the users are coming from. However, I realize that after redirection, the HTTP_REFERER fro the header defaults to '/' when I was expecting it to be the url where the user was redirected from. Does the HTTP_REFERER header gets deleted after redirection? If yes, is there a way to store this information.
I am using rails for my website and I am doing request.referer to get the HTTP_REFERER.

Referers are not guaranteed; they are completely optional and any number of things could be stripping them.