Reliable &quot;referrer&quot;

Reliable "referrer"

lalloo

Is there a reliable way of finding referrer to a site than using getenv("HTTP_REFERER") ?

I am in a dire need of finding a solution to this. Visitors are allowed or denied access to certain parts of my site based on which site they come from. A list of allowed referrers is stored in a database and visitors are given access if the referrer is found on the list. It has to be as close to fool proof as possible. Any suggestions on how to reliably get the referrer info will be appreciated. Thanks.

djjjozsi

you can check the previous SESSION variable which stores the previous page identifer/pageID/filename

but this works in your domain only.

the problem whith the referrer is that the browser sends to your server, this might be fake or missing.

dagon

http is stateless, by 'default' no request has any knowledge of any prior requests

foyer

What is not reliable with $_SERVER['HTTP_REFERER'], like djjjozsi said it could be fake anyway so why rely on it

lalloo

Since getenv("HTTP_REFERER") is not all that reliable, what would you guys suggest we do? We need to allow access to certain pages of our site only if the visitor comes from some sites that we have in our database as authorized. If they append link to our site with a specific ID or something like that, it too can be used by unauthorized sites to gain access to restricted pages of our site. What is the standard practice in this scenario?

foyer

A username and password.

lalloo

Thanks for the suggestion. Unfortunately, user name and password is not an option. Ours is kind of "employee benefits" site. Employees of various companies log in to their company's intranet and from there click on a link to our site. We cannot make the employees register with us and login while they already have logged in to their own company site.

foyer

couldn't you give out a password to all those people who needed one, they don't need to 'register'. Could be a simple password screen

foyer

But even if you don't want to do that, I don't know what you mean about reliability issues with HTTP_REFERER. It works well for me

Weedpacket

foyer wrote:
It works well for me

My guess is that the gateway between the employees' various intranets and the outside world would tend to get in the way.

Couldn't you obtain a list of IP addresses for each company and use $_SERVER['REMOTE_ADDR']?

scrupul0us

heres what you do

page one:
start sessions and init a salt

page two:
check session for the salt, if it doesnt exist, then they didnt come from the previous page

lalloo

Thanks all for your answers.

Weedpacket:
Is $_SERVER['REMOTE_ADDR'] a fool proof method? I mean, do all browsers return (or return correct) IP adress to the server?

In any case, I think, IP address solution will not work because employees may be accessing their intranet sites from hundreds of different IP addresses.

Foyer:
$_SERVER['HTTP_REFERER'] is not reliable because not all browsers send the referrer info to the server or can possibly send incorrect information.

scrupul0us:
But how to make sure the visitors to "page one" have come from one of our partner sites?

scrupul0us

well honestly, if you are trying to identify a company... best bet is to assign them a key at the end of the access url and give them a identifier like dell does for EDU partnerships

e.g.

yourcompany.com/materials/?accessid=34lkj32453234lj

on the first landing page from the company have them enter a 5-8 character/digit key of sorts to "avoid" url sharing which can be provided on the intranet page for the company's users

foyer

lalloo;10905643 wrote:
Foyer:
$_SERVER['HTTP_REFERER'] is not reliable because not all browsers send the referrer info to the server or can possibly send incorrect information.

All the browsers that matter do

dagon

foyer;10905680 wrote:
All the browsers that matter do

so you are restricting access to only some browsers? What about fire walls and proxy servers? My fire wall strips the referrer.

foyer

no, the information I gather is just random statistic info, I wouldn't rely on it for authentication lol

dagon

foyer;10905687 wrote:
no, the information I gather is just random statistic info, I wouldn't rely on it for authentication lol

then im confused as previously you said

"Visitors are allowed or denied access to certain parts of my site based on which site they come from."

foyer

I'm not the OP

dagon

foyer;10905693 wrote:
I'm not the OP

Sorry.

foyer

But he could restrict access to browsers, I mean it seems like a controlled environment, some offices all probably running IE or Mozilla.