NYCPHP Meetup

NYPHP.org

[nycphp-talk] HTTP_REFERER does not work - alternatives?

ian forsyth ian at plusfour.org
Wed Sep 18 11:42:23 EDT 2002 

$_SERVER['HTTP_REFERER'] should not be used.. often times user behind a 
proxy are configure not to submit http_referer

note.. rfc2616

15.1.3 Encoding Sensitive Information in URI's

   Because the source of a link might be private information or might
   reveal an otherwise private information source, it is strongly
   recommended that the user be able to select whether or not the
   Referer field is sent. For example, a browser client could have a
   toggle switch for browsing openly/anonymously, which would
   respectively enable/disable the sending of Referer and From
   information.

   Clients SHOULD NOT include a Referer header field in a (non-secure)
   HTTP request if the referring page was transferred with a secure
   protocol.

   Authors of services which use the HTTP protocol SHOULD NOT use GET
   based forms for the submission of sensitive data, because this will
   cause this data to be encoded in the Request-URI. Many existing
   servers, proxies, and user agents will log the request URI in some
   place where it might be visible to third parties. Servers can use
   POST-based form submission instead

you could store $url = $_SERVER['http_host'] . $_SERVER['request_uri']; 
as an array in your session var... or you could use a cookie by 
unserialize($cookie); push($cookie[0],$url); serialize($cookie); (or 
something like that.. ) either way you will have an array of visited 
urls.. much like the javascript history method..

Ian

Phil Powell wrote:

>URL: http://valsignalandet.com/my/dummy.html
>        http://valsignalandet.com/my/layout.html
>
>Consider this:
>
>I have this URL, dummy.html, that only has a link that you click onto that takes you to layout.html, a framed HTML document with one PHP script, layout_bottom.php.
>
>This script, layout_bottom.php, attempts to capture the value of $HTTP_REFERER:
>
><?
>
> if (strlen($HTTP_REFERER) > 0)
>  $refURL = $HTTP_REFERER;
> else 
>  $refURL = $SCRIPT_NAME;
>
>?>
>
>However, $HTTP_REFERER is always null, even when I came from dummy.html it is still null, never receiving the previous URL value.
>
>Does anyone else out there know an alternative to $HTTP_REFERER? I've worked with it for years and it has constantly, CONSTANTLY failed me every single time, in PHP, TCL, ASP, Java, everything!  What else can I use to retain the previous URL that calls layout.html?
>
>Thanx
>Phil
>
>
>
>--- Unsubscribe at http://nyphp.org/list ---
>
>
>
>
>  
>

More information about the talk mailing list