HTTP_REFERRER problems

doobster

Hello, I have a page that contains a form. The user pushes a submit button which takes the form to another page.

On the other page I check if a hidden form value was sent and I also check if the $HTTP_REFERRER was from within my domain.

For some reason members with firewalls or high security settings have problems with this. Is there not a better way to ensure the form was submitted within my domain? Or is there documented information about $HTTP_REFERRER doesn't function properly with some peoples set ups?

CaptianChaos

Unfortunately, you should not rely on HTTP_REFERRER, because it is sent by the client's browser. A clever hacker could spoof the HTTP_REFERRER header. The other problem with it you have already discovered: it may not get sent at all... so you have no idea what the http_referrer actually is.

You can solve this problem with sessions instead of passing the private part through a hidden tag in the form. Before you display the form page, create a session:

<?php
session_start();
$_SESSION['private_part'] = 'whatever';
?>
<form method="POST">
...
</form>

Then on the page where you accept the form data, you can link up the 'private_part' with the user's session. You remove the need for the hidden tag in the form.

<?PHP
session_start();
$private_part = $_SESSION['private_part'];
?>

$private_part will equal 'whatever' in this example.

Weedpacket

Besides, due to an accident of history, there are only three R's in REFERER.

Mordecai

Yes, it's what we all call...

(For those who don't get the joke: http://us.imdb.com/Title?0028346 )