NYCPHP Meetup

NYPHP.org

[nycphp-talk] using $_SERVER['HTTP_REFERER']

Aaron Fischer agfische at email.smith.edu
Fri Mar 5 17:41:51 EST 2004 

On Mar 5, 2004, at 5:08 PM, Chris Shiflett wrote:

> --- Aaron Fischer <agfische at email.smith.edu> wrote:
>> I am working on a page right now that uses HTTP_REFERER to make sure
>> that the user is coming from a specific page. It seems to be working
>> pretty well except for one little hiccup involving the back button:
>
> There are more problems with this approach than the one you've 
> observed,
> but that is another discussion I suppose...
>

I figured as much.  :-)

>> Scenario:
>> The user clicks from the referrer page to my page and is let in OK.
>> When they are done they leave and go somewhere else. However, if they
>> choose to hit the back button they are let into my page again. I would
>> like to know how I can prevent this from happening?
>
> With a standards-compliant browser, you shouldn't be able to. As a
> standards-conscious developer, you shouldn't want to.
>

Can you clarify this?  Are you saying that a standards-compliant 
browser should show me the page again regardless of what I do, and as a 
standards-conscious developer I should not try and restrict them from 
hitting back and seeing the page?

>> From section 13.13 of RFC 2616:
>
>    In particular history mechanisms SHOULD NOT try to show a 
> semantically
>    transparent view of the current state of a resource. Rather, a 
> history
>    mechanism is meant to show exactly what the user saw at the time 
> when
>    the resource was retrieved.
>
> Hope that helps.
>
> Chris

Hhmmm, when considering pages that contain sensitive information it 
seems problematic to leave the history transparent.  For example, if I 
am banking online and leave the banking site and then leave my computer 
unattended, I don't want someone else to be able to sit down and hit 
the back buttons or history buttons to see my private information.  Of 
course, I wouldn't let that happen  But, I am designing with the lowest 
common denominator in mind.  That is, the user with the least amount of 
technical information and/or the greatest propensity to leave 
themselves vulnerable to such exploits.  Isn't it my responsibility as 
a developer to do everything possible to protect the user's sensitive 
information from being viewed by parties other than themselves?

-Aaron

More information about the talk mailing list