URL redirection, also called URL forwarding, domain redirection and domain forwarding, is a technique on the World Wide Web for making a web page available under many URLs.
Similar domain names
A web browser user might mis-type a URL -- for example, "gooogle.com" and "googel.com". Organizations often register these "mis-spelled" domains and re-direct them to the "correct" location: google.com. For example: the addresses example.com and example.net could both redirect to a single domain, or web page, such as example.org. This technique is often used to "reserve" other TLDs with the same name, or make it easier for a true ".edu" or ".net" to redirect to a more recognizable ".com" domain.
Moving a site to a new domain
Why redirect a web page?
1. A web site might need to change its domain name.
2. An author might move his or her pages to a new domain.
3. Two web sites might merge.
With URL redirects, incoming links to an outdated URL can be sent to the correct location. These links might be from other sites that have not realized that there is a change or from bookmarks/favorites that users have saved in their browsers. The same applies to search engines. They often have the older/outdated domain names and links in their database and will send search users to these old URLs. By using a "moved permanently" redirect to the new URL, visitors will still end at the correct page. Also, in the next search engine pass, the search engine should detect and use the newer URL.
Logging outgoing links
The access logs of most web servers keep detailed information from where visitors came and how they browsed the hosted site. They do not, however, log which links visitors left by. This is because the visitor's browser has no need to communicate with the original server when the visitor clicks on an out-going link. This information can be captured in several ways. One way involves URL redirection. Instead of sending the visitor straight to the other site, links on the site can direct to a URL on the original website's domain that automatically redirects to the real target. This added request will leave a trace in the server logs saying exactly which link was followed.
This technique is also used by some corporate websites to have a "warning" page that the content is off-site and not necessarily affiliated with the corporation. This technique does bear the downside in the delay of an additional request to the original website's server. For websites that wish to display a "warning" page before automatically forwarding, the length of time the warning is displayed is an additional delay.
Short, meaningful, persistent aliases for long or changing URLs
Currently, web engineers tend to pass descriptive attributes in the URL to represent data hierarchies, command structures, transaction paths and session information. This results in a URL that is aesthetically unpleasant and difficult to remember. Sometimes the URL of a page changes even though the content stays the same.
Manipulating search engines
Some years ago, redirect techniques were used to fool search engines. For example, one page could show popular search terms to search engines but redirect the visitors to a different target page. There are also cases where redirects have been used to "steal" the page rank of one popular page and use it for a different page, usually involving the 302 HTTP status code of "moved temporarily." Search engine providers noticed the problem and took appropriate actions. Usually, sites that employ such techniques to manipulate search engines are punished automatically by reducing their ranking or by excluding them from the search index. As a result, today, such manipulations usually result in less rather than more site exposure.
Satire and criticism
In the same way that a Google bomb can be used for satire and political criticism, a domain name that conveys one meaning can be redirected to any other web page, sometimes with malicious intent.
Manipulating visitors
URL redirection is sometimes used as a part of phishing attacks that confuse visitors about which web site they are visiting.
Techniques
There are several techniques to implement a redirect. In many cases, Refresh meta tag is the simplest one. However, there exist several strong opinions discouraging this method.
Manual redirect
The simplest technique is to ask the visitor to follow a link to the new page, usually using an HTML anchor as such:
Please follow [a href="http://www.example.com/">link/a]
This method is often used as a fall-back for automatic methods — if the visitor's browser does not support the automatic redirect method, the visitor can still reach the target document by following the link.
HTTP status codes 3xx
In the HTTP computer protocol used by the World Wide Web, a redirect is a response with a status code beginning with 3 that induces a browser to go to another location. The HTTP standard defines several status codes for redirection:
1. 300 multiple choices (e.g. offer different languages)
2. 301 moved permanently
3. 302 found (e.g. temporary redirect)
4. 303 see other (e.g. for results of cgi-scripts)
5. 307 temporary redirect
All of these status codes require that the URL of the redirect target is given in the Location: header of the HTTP response. The 300 multiple choices will usually list all choices in the body of the message and show the default choice in the Location: header.
Within the 3xx range, there are also some status codes that are quite different from the above redirects (they are not discussed here with their details):
1. 304 not modified
2. 305 use proxy
3. 306 not used
Using server-side scripting for Redirection
Often, web authors don't have sufficient permissions to produce these status codes: The HTTP header is generated by the web server program and not read from the file for that URL. Even for CGI scripts, the web server usually generates the status code automatically and allows custom headers to be added by the script. To produce HTTP status codes with cgi-scripts, one needs to enable non-parsed-headers.
Sometimes, it is sufficient to print the "Location: 'url'" header line from a normal CGI script. Many web servers choose one of the 3xx status codes for such replies. The HTTP protocol requires that the redirect be sent all by itself, without any web page data. As a result, the web programmer who is using a scripting language to redirect the user's browser to another page must ensure that the redirect is the first or only part of the response. In the ASP scripting language, this can also be accomplished using the methods response.buffer=true and response.redirect "http://www.example.com". Using PHP, one can use header("Location: http://www.example.com");.
According to the HTTP standard, the Location header must contain an absolute URI. When redirecting from one page to another within the same site, it is a common mistake to use a relative URI. As a result most browsers tolerate relative URIs in the Location header, but some browsers display a warning to the end user.
Using .htaccess for Redirection
When using the Apache web server, directory-specific .htaccess files (as well as apache's main configuration files) can be used. For example, to redirect a single page:
Redirect 301 /oldpage.html http://www.example.com/newpage.html
To change domain names:
RewriteEngine On
RewriteCond %{HTTP_HOST} ^.*oldwebsite\.com$ [NC]
RewriteRule ^(.*)$ http://www.preferredwebsite.net/$1 [R=301,L]
Use of .htaccess for this purpose usually does not require administrative permissions, though it can be disabled.
Refresh Meta tag and HTTP refresh header
Netscape introduced a feature to refresh the displayed page after a certain amount of time. This method is often called meta refresh. It is possible to specify the URL of the new page, thus replacing one page after some time by another page:
1. HTML (meta) tag
2. An exploration of dynamic documents
3. Proprietary extensions
A timeout of 0 seconds means an immediate redirect.
JavaScript redirects
JavaScript offers several ways to display a different page in the current browser window. Quite frequently, they are used for a redirect. However, there are several reasons to prefer HTTP header or the refresh meta tag (whenever it is possible) over JavaScript redirects:
1. There are several reasons for some users to disable JavaScript:
1a. Security considerations
1b. Some browsers don't support JavaScript
1c. many crawlers (e.g. from search engines) don't execute JavaScript.
2. There is no "standard" way of doing it: A search for "you are being redirected" will find that virtually each JavaScript redirect employs different methods. This makes it difficult for Web client programmers to honor your redirect request without implementing all of JavaScript.
Frame redirects
A slightly different effect can be achieved by creating a single HTML frame that contains the target page. One main difference to the above redirect methods is that for a frame redirect, the browser displays the URL of the frame document and not the URL of the target page in the URL bar. This technique is commonly called cloaking. This may be used so that the reader sees a more memorable URL or, with fraudulent intentions, to conceal a phishing site as part of website spoofing.
Redirect loops
It is quite possible that one redirect leads to another redirect. For example, the URL http://www.wikipedia.com/wiki/URL_redirection (note the differences in the domain name) is first redirected to http://www.wikipedia.org/wiki/URL_redirection and again redirected to the correct URL: http://en.wikipedia.org/wiki/URL_redirection. This is appropriate: the first redirection corrects the wrong domain name. The second redirection selects the correct language section. Finally, the browser displays the correct page. Sometimes, however, a mistake can cause the redirection to point back to the first page, leading to an infinite loop of redirects. Browsers usually break that loop after a few steps and display an error message instead.
The HTTP standard states: A client SHOULD detect infinite redirection loops, since such loops generate network traffic for each redirection. Previous versions of this specification recommended a maximum of five redirections; some clients may exist that implement such a fixed limitation.
Services
There exist services that can perform URL redirection on demand, with no need for technical work or access to the webserver your site is hosted on.
URL redirection services
URL redirection services exist to shorten long URLs. Some web publishers have criticized the use of these services, arguing that replacing a URL with an encoded shortcut effectively erases information from a document. For instance, a redirected URL may link to a blacklisted site. Hyperlinks involving URL redirection services are frequently used in spam messages directed at blogs and wikis. Thus, one way to reduce spam is to reject all edits and comments containing hyperlinks to known URL redirection services; however, this will also remove legitimate edits and comments and may not be an effective method to reduce spam. Recently, URL redirection services have taken to using AJAX as an efficient, user friendly method for creating shortened URLs.
URL obfuscation services
There exist redirection services for hiding the referrer using META refresh, such as Anonymity.com and Anonym.to.
If the input is not sanitized (using htmlspecialchars()) someone could be supplied with a URL that executes some malicious JavaScript appearing to originate from the website hosting the PHP code. Further, the above example code may not work correctly with URLs containing variables, unless the input is first encoded, or code is added that loops across the $_GETs and pieces together the final URL.
