Hi, I want a webpage to check that the visitor was send there by one of our own pages. I was using $_SERVER['HTTP_REFERER'] until now but it didn't work for everyone... How do I overcome this problem? Thanks, Hodge
This variable is partially dependant on a user's web browser. A user can disable it or they could put something else in for the variable, so it isn't accurate nor should it be trusted. What exactly are you trying to accomplish by checking what page a visitor came from?
I want to prevent them from creating their own page on their site and submitting stuff from there. I used to use $_SERVER['HTTP_REFERER'] to check the domain where the POST was made from to make sure it was my own site. Now I know that doesn't work I want to seek an alternative solution...
Or maybe set a session variable on the initial page that you will ultimately be posting from? Then, on the page that you were checking the referer, check the session variable instead... Naturally this won't work for you across domains, but still...
HTTP_REFERER is as reliable as the user IP is, actually a bit more sense you need to know web programming to bypass referral in contrast with IP changers. Peace,
azizny: don't want to sound rude, but you're totally incorrect. The referer value is sent by the browser (as opposed to any form of 'magic') and as such, is easy to fake. There are a number of extensions out there for Firefox that lets you either fake a referer value or stop sending it completely. Oppose this with the user IP address which is picked up as part of the normal TCP / IP communication and I would say that in fact, you're statement is around the wrong way.
The best you can do is use sessions, which has already been mentioned. Other than that there is nothing besides using the referrer information you have.
Actually that's not true. A large % of the time the HTTP_REFERER is inaccurate even when it isn't altered, and there are browser plugins to disable or fake the referrer. The IP is always transmitted even if it's spoofed or run through a proxy. Neither are reliable entirely, but the IP is altered a much lower % of the time than the HTTP_REFERER.
How is the referrer inaccurate most of the time even when it's not altered? And sure, you can spoof an IP, but it's pretty pointless if you want to receive a response from the web server.