HTTP_REFERER Help (External Site)

froppo

Hey,

So here is the deal. I'm trying to make it so a certain page on my site can only be accessed if the user is coming from a specific 'external' site. I did some research online and this is what I have come up with:

<?
if (strstr($_SERVER['HTTP_REFERER'],"google.com")) {
header ("Location: thanks.html");
} else {
header ("Location: index.html"); 
}
?>

The above code lives in the file 'test.php'. Here is the issue: When attempting to go to the URL 'test.php' directly from google.com I keep getting directed to 'index.html' rather than 'thanks.html' even though it's the correct 'referring' site.

Any suggestions would be greatly appreciated.

Thanks!

bradgrafelman

Try outputting the $_SERVER['HTTP_REFERER'] string to see what it contains.

Also, note that relying on the 'Referer' header is very dangerous since it a) can be stripped out completely by gateways/proxies/browser settings/etc., and b) can be easily modified/altered/defined by the client.

froppo

OK so here is what I did. I tested using the folloing:

echo $_SERVER['HTTP_REFERER']

When I tested coming from Google.com I just got a blank screen.

Also, from doing some more research, I found that if the HTTP_REFERER has not been set, I won't see anything, which seems to be the case.

Is this the issue and if so how do I go about setting the HTTP_REFERER?

bradgrafelman

froppo wrote:
how do I go about setting the HTTP_REFERER?

Er... you can't; the value of the Referer header is entirely client-dependent; if the client doesn't specify it, then there's nothing you can do to determine the referring page (sans some kind of internal tracking mechanism, but that won't help you for cross-domain links, e.g. from Google).

froppo

So is there another better way to accomplish what I'm attempting to do (ie. dictate what page a user sees based on what 'referring' website they're coming from)?

bradgrafelman

Not really, no. If the Referer header was sent, then you can use it. If it wasn't, then I don't think there's anything else you can do. After all, privacy is often a big issue, so it should make sense that you can't force an answer out of a user's browser as to what website they previously visited.