are there any alternatives to HTTP_REFERER as that only works for "clicking"
but it won't work for referrals from redirects?

Cheers

Ben Stones wrote:

> are there any alternatives to HTTP_REFERER as that only works for
> "clicking" but it won't work for referrals from redirects?
>

It does work in FF, but not in MSIE - as usual. I had a design that
relied on HTTP_REFERER, but I had to change for exactly that reason.
I'd be very interested to hear if anyone's got any general alternatives
that don't involve a lot of coding around the issue.


/Per Jessen, Zürich

there is no alternative!! HTTP_REFERER is passed thru
the HTTP headers. If the browser does not send this header
there is no way to get the referer anyway..
-------------------------------------
visit my webpage http://www.howhot.de

Per Jessen schrieb:
> Ben Stones wrote:
>
>> are there any alternatives to HTTP_REFERER as that only works for
>> "clicking" but it won't work for referrals from redirects?
>>
>
> It does work in FF, but not in MSIE - as usual. I had a design that
> relied on HTTP_REFERER, but I had to change for exactly that reason.
> I'd be very interested to hear if anyone's got any general alternatives
> that don't involve a lot of coding around the issue.
>
>
> /Per Jessen, Zürich
>

get the http_referer in the redirect script and pass the http_referer with
the redirect as a ?refer=


--
_ _
""Ben Stones"" <stonesben@googlemail.com> wrote in message
news:e40e63860810111130n4e7edb3ft4321863082237d14@ mail.gmail.com...
> are there any alternatives to HTTP_REFERER as that only works for
> "clicking"
> but it won't work for referrals from redirects?
>
> Cheers
>

By definition: The referer, or HTTP referer, identifies, from the
point of view of an internet webpage or resource, the address of the
webpage (commonly the URL, the more generic URI or the i18n updated
IRI) of the resource which links to it.

More detail at:
http://en.wikipedia.org/wiki/Referer
http://tools.ietf.org/html/rfc2616

So is a redirecting page a referrer or not? I don't know. Had no time
to translate the gibberish.

I experimented a bit with it and the most suitable solution I found
was passing the referring page on with a GET parameter ...

################## A page redirecting to test.php ##################
<?php
$location = (empty($_SERVER["REQUEST_URI"])) ? 'Location: test2.php' :
'Location: test2.php?ref='.urlencode(base64_encode(gzdeflate( $_SERVER["REQUEST_URI"],
8)));
header($location);
?>

################## test.php ##################
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Referrer Test Page</title>
<script type="text/javascript">
alert('Referrer ('+(typeof
document.referrer)+'['+document.referrer.length+']):
'+document.referrer);
</script>
</head>
<body>
<h1>Referred page</h1>
<?
$page = ($_GET['ref']) ?
@gzinflate(base64_decode(urldecode($_GET['ref']))) : 'not found';
echo <<<REFERRER
<h2>Referring page: $page</h2>
REFERRER;
?>
</body>
</html>

#####################

A yeti

Yeti wrote:

> By definition: The referer, or HTTP referer, identifies, from the
> point of view of an internet webpage or resource, the address of the
> webpage (commonly the URL, the more generic URI or the i18n updated
> IRI) of the resource which links to it.
>
> More detail at:
> http://en.wikipedia.org/wiki/Referer
> http://tools.ietf.org/html/rfc2616
>
> So is a redirecting page a referrer or not? I don't know. Had no time
> to translate the gibberish.

It doesn't have to be a redirect as such - when you set the URL using
javascript, there is also no HTTP_REFERER in MSIE.

> I experimented a bit with it and the most suitable solution I found
> was passing the referring page on with a GET parameter ...

Which becomes kludgy the minute you've got other GET arguments.


/Per Jessen, Zürich

On Mon, 2008-10-13 at 08:37 +0200, Per Jessen wrote:
> Yeti wrote:
>
> > By definition: The referer, or HTTP referer, identifies, from the
> > point of view of an internet webpage or resource, the address of the
> > webpage (commonly the URL, the more generic URI or the i18n updated
> > IRI) of the resource which links to it.
> >
> > More detail at:
> > http://en.wikipedia.org/wiki/Referer
> > http://tools.ietf.org/html/rfc2616
> >
> > So is a redirecting page a referrer or not? I don't know. Had no time
> > to translate the gibberish.
>
> It doesn't have to be a redirect as such - when you set the URL using
> javascript, there is also no HTTP_REFERER in MSIE.
>
> > I experimented a bit with it and the most suitable solution I found
> > was passing the referring page on with a GET parameter ...
>
> Which becomes kludgy the minute you've got other GET arguments.
>
>
> /Per Jessen, Zürich
>
>
You should look at developing the app so that it doesn't rely on
referrer information, as this is unpredictable as you've seen. Not just
with IE as well, because some proxy servers have been known to strip out
this information, and individual users can turn this off if they know
how.

What are you doing with it? Maybe there's another solution to the
problem.


Ash
www.ashleysheridan.co.uk

Ashley Sheridan wrote:

> You should look at developing the app so that it doesn't rely on
> referrer information, as this is unpredictable as you've seen.

Yep, that's what I did too. Can't remember exactly what I did, but I
suspect it involved setting info in the session,

> Not just with IE as well, because some proxy servers have been known
> to strip out this information, and individual users can turn this off
> if they know how.

That is/was not a concern in my case.

> What are you doing with it? Maybe there's another solution to the
> problem.

My problem was that I needed to use the HTTP_REFERER as the URL in a 303
redirect after a POST. From page 1 (list of items), the user would
click on an item and the new url would be set through javascript. On
page 2 (item detail), the user would then POST some action, after which
he should be returned to the original list at the same place. (The
list is a window of e.g. 500 items from a list of several thousands).

Anyway, I don't know what the OPs was trying do with HTTP_REFERER.


/Per Jessen, Zürich

On Mon, Oct 13, 2008 at 3:09 AM, Per Jessen <per@computer.org> wrote:
> Ashley Sheridan wrote:
>
>> You should look at developing the app so that it doesn't rely on
>> referrer information, as this is unpredictable as you've seen.
>
> Yep, that's what I did too. Can't remember exactly what I did, but I
> suspect it involved setting info in the session,
>
>> Not just with IE as well, because some proxy servers have been known
>> to strip out this information, and individual users can turn this off
>> if they know how.
>
> That is/was not a concern in my case.
>
>> What are you doing with it? Maybe there's another solution to the
>> problem.
>
> My problem was that I needed to use the HTTP_REFERER as the URL in a 303
> redirect after a POST. From page 1 (list of items), the user would
> click on an item and the new url would be set through javascript. On
> page 2 (item detail), the user would then POST some action, after which
> he should be returned to the original list at the same place. (The
> list is a window of e.g. 500 items from a list of several thousands).
>
> Anyway, I don't know what the OPs was trying do with HTTP_REFERER.
>
>
> /Per Jessen, Zürich
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

I don't bother with the referer at all. Whenever I've needed this
information I either:

1) store it in the session
2) store it in the url as a ?continue=url

Lately I've been having to build a lot of different ways of getting to
the same edit form. So to get the user back to where they came from
this previous url is quite important. Also it's imperative to
validate that the $_GET['url'] is a url that your system can handle
though.

http://www.owasp.org/index.php/Open_redirect