I'm stumped! I'm hoping that someone can help on this one.

I am trying to find a way to know what website has called an image from our server. For instance if website A placed an image from my server on a page, what is the url of that page?

I know that you can use ASP ServerVariables("HTTP_REFERER") as one method but I also know that this is unreliable as header information can be spoofed and if the image is called from a secure page (HTTPS) then there is no HTTP_REFERER information sent in the headers.

I know that there must be a way to do this because when I look at my website stats using AWStats I see visitors that come from secure sites such as https://www.paypal.com

If AWStats can track the referring websites that are visiting from HTTPS then there must be a way to do it.

Can someone help???

Well first of all, your ASP code only runs when somebody requests an ASP page. Your code has no idea when an image is requested by a page outside of your site. So the answer isn't code. ( Unless you want to write an HTTP handler or ISAPI filter. )

If you have awstats you've probably got a recent version of c-panel, with hotlink protection ... when somebody else puts an img tag on their site.

First off, the referer is slightly misleading in AWStats.

For example, you'll probably see an http://ootp.haymakerhockey.net referral in your stats now. If not, refresh your stats, since I just did it.

All I did was cut and pasted the first link from your signature into the address bar and boom, referral.

That site isn't leeching a thing off of you either. It's just a fantasy baseball league site I'm a part of. Nothing more, nothing less.

Second, if you're still having an issue with hotlinking, you might want to try this (I haven't, so I can't recommend it one way or the other...I just know it exists):

http://evolvedcode.net/content/code_antihotlink/

Thanks Forest and Adam,

You are both assuming that I want to prevent hotlinking. This is not the case. I simply want to know where someone has visited my website from. I can't use the HTTP_REFERER method because I need to know the referring website even if it came from a secure page.

I know this can be done somehow. I'm just not seeing the solution.

One thought that I had was to first read the HTTP_REFERER and if this is null then read the HTTPS_SERVER_SUBJECT. This variable contains the website to which a certificate was issued. The only thing I don't know is if this variable contains the server cert info for my site or the visiting site. My suspicion is that it is for my server which doesn't help.

Having said all of this; I'm still looking for a way to do this and any help is greatly appreciated.

I don't understand; how are you collecting info from server variables when an image is being requested?

Hi Forrest,

Let's say that I have a 1 pixel image named image.jpg and WebsiteA owner/webmaster allows me to place this tracking image on one of his pages (Page 1.) When someone visits page 1 image.jpg is called from our server. If page 1 is a non secure page (HTTP) then I have no problem using HTTP_REFERER to know that Website A called the image. However, if the image is placed on a secure page (HTTPS) then this method does not work.

I'm still stumped. Maybe I'm just not asking the right question. Again any help would be appreciated.

I'm still not sure I understand, but have you tried enumerating all the server variables for this type of request?

for(int i = 0; i < Request.ServerVariables.Count; i++)
Response.Write(Request.ServerVariables[i]);

If you set that up and then visit one of these pages with your image, and look at the results, if the answer is in there, this should tell you.

How many sites are you doing this with? Another option would be to use a different file for each site.

Hi Forrest,

I've already tried looking at all of the server variables. I'm not so sure that the answer is in here.

I'm still searching for the answer.

I think that I have solved this problem. From what I can tell the HTTP_REFERER will NOT be sent through the HTTP headers in IE or FireFox if a client has clicked on a link on a secure page.

However; if an image is displayed on a secure page then the referring URL IS passed in the headers. I just tested this in IE and FireFox. I can't speak for other browsers.

Stupid me. I was testing this with clickable links rather than trying with an image. This explains why PayPal shows up in my AWstats logs. They are pulling an image from my server.

Sorry for the trouble

Good you solved it.