HTTP_REFERER not working

sroughley

Hi all,

Several of our web apps are distributed across many sites and we often need to validate the transfer from one site to another. In our ASP.NET application we always use Request.UrlReferrer to check where the visitor came from and have never come across an issue with this. We are currently trying to integrate a PHP site into a distributed ASP.NET web app and need to do the same. The problem here is that HTTP_REFERER is always blank. What could be causing this? Is there another variable that we need to use to replicate the functionality of ASP.NET's Request.UrlReferrer?

Thank you for your time,

Stephen

halojoy

I did a forum search http://phpbuilder.com/board/search.php
for HTTP_REFERER
Was quite many hits!

Recently we have this topic: Is it possible to fake an http_referer?

I think we can not rely on checking only HTTP_REFERER.
Sometimes, as you have discovered, it does not work.

sroughley

Hey,

Thanks for the reply. Yeah, we're aware of the fickle nature of headers. We usually combine this with encrypted get variables or cross-domain cookies for transfers that require security. I had found alot of other posts saying that HTTP_REFERER doesn't work, but none really explaining why. It doesn't make much sense to me as Request.UrlReferer has never failed us like this has. It would be very useful to find a more reliable means of checking the refererer.

Stephen

johanafm

The only one who knows what the previous page was is the web browser. And even if all browsers at some point in time includes this information, there's nothing stopping people from writing their own browsers that do not. And then there are privacy software that may strip such information as well.
And since you can't tell the difference between something like the above and someone typing the url directly or using a bookmark instead of clicking a link, there is no way to force people to have a HTTP_REFERER to gain access to your site. Unless of course you're willing to take away their possibility of using a BM to get there in the first place.

However, if this is only an issue when they really should come from one of your other sites and should not be given direct access in a specific place, you could of course require that they have HTTP_REFERER. It's just likely to make them go elsewhere instead if they have the option though.

And you can't trust UrlReferer any more than you can HTTP_REFERER.

bradgrafelman

sroughley wrote:
I had found alot of other posts saying that HTTP_REFERER doesn't work, but none really explaining why.

Well for one, the Referer HTTP header isn't a required header, so you should never depend on its presence. Since it is also a client-provided header, it should never be trusted to be correct or unaltered, either. Thus its use is commonly frowned upon since it's unreliable (both its existence and integrity).

Also, you never showed us any code as to how you're trying to use it. In your first post, you asked about "another variable" that might be used, but this I think points to your problem: HTTP_REFERER (or even $HTTP_REFERER) isn't a variable at all. $_SERVER['HTTP_REFERER'], on the other hand, is most likely what you're referring to.