Urgent: HTTP_REFERER is empty

Anon

Hi all,

One of my php file will check the referrer. It works properly if the browser sending the request is IE5.5 or above, but for IE5.0, the $HTTP_REFER is empty.

I've captured the HTTP requests from both of them. There is a little bit of difference only.

For IE6.0
GET /test.php3?NAME=ABC HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, /
Referer: http://www.abc.com/test/caller.jsp?client=ABC
Accept-Language: zh-cn
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: 123.123.123.123
Connection: Keep-Alive

For IE5.0
GET /test.php3?NAME=ABC HTTP/1.1
Accept: /
Referer: http://www.abc.com/test/caller.jsp?client=ABC
Accept-Language: en-us,zh-hk;q=0.8,zh-cn;q=0.5,zh-tw;q=0.3
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT; Tucows)
Host: 123.123.123.123
Connection: Keep-Alive

What should be problem at all? Should it be due to the browser, the web server, or the PHP file itself?

At last, the most important thing is how to fix it?

Thanks in advance!!!

[deleted]

HTTP_REFERER is an optional field, browsers don't have to send it if they don't want to, or if the user has disabled it for privacy reasons.

Anon

However, I'm quite sure both IE5.0 and IE6.0 support this feature since you may see the referer appear in the HTTP requests that I've captured previously.

[deleted]

Most like they do support it, but it is not mandactory, they don't have to send it, so you may not rely on it.

Anon

Sometimes javascript can cock it up specially in IE6 cus IE6 is poo.

[deleted]

Some problem: Javascript can be disabled.

Anon

Yes, I understand this field is not mandatory. But pls understand the situation that both IE5.0 and IE6.0 HAVE SENT the referer to the web server in my case. As you may see below, the data transmitted from my IE to the web server via port 80(HTTP port). Obviously, they sent the referer to the web server but my PHP can't get the actual values of the HTTP_REFER if the browser is IE5.0.

Why? Pls help!
Thanks for all of your advice!

IE6.0
GET /test.php3?NAME=ABC HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, /
-------- Look Here ------------------------
Referer: http://www.abc.com/test/caller.jsp?
-------- Look Here ------------------------
client=ABC
Accept-Language: zh-cn
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: 123.123.123.123
Connection: Keep-Alive

For IE5.0
GET /test.php3?NAME=ABC HTTP/1.1
Accept: /
-------- Look Here ------------------------
Referer: http://www.abc.com/test/caller.jsp?
-------- Look Here ------------------------
client=ABC
Accept-Language: en-us,zh-hk;q=0.8,zh-cn;q=0.5,zh-tw;q=0.3
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT; Tucows)
Host: 123.123.123.123
Connection: Keep-Alive

Anon

Yes, I understand someone could even trigger a HTTP request even using a telnet program simply. It still won't be a problem coz I just want to guide illegal access from ordinary users only. For professional guides, just give them a free lunch.

Back to the topic, this field is not mandatory. But pls understand the situation that both IE5.0 and IE6.0 HAVE SENT the referer to the web server in my case. As you may see below, the data transmitted from my IE to the web server via port 80(HTTP port). Obviously, they sent the referer to the web server but my PHP can't get the actual values of the HTTP_REFER if the browser is IE5.0.

Why? Pls help!
Thanks for your advice!

[deleted]

"It still won't be a problem coz I just want to guide illegal access from ordinary users only"

You're not getting the point;

You cannot repy on the Referer field. Your script may not, under any circumstance expect the Referer field. Never ever ever.
Any person/any browser can stop sending the Referer field whenever it he/it wants to.

It just does not work.

Anon

Yes, you're right. With no doubt, they stop sending the Referer if our clients want to do so. But it would be their lose coz my PHP will reject their requests simply. Our clients pay for us, so will our clients really do this?

Besides, I want to say again IE5.0, IE5.5 and IE6.0 will send this piece of information to web server by default(pls check the HTTP requests from browser quoted in my previous msg). We just claim to support these browsers only. I don't mind if they insist on using any browsers else like Netscape.

Right here, I just want to ask why my PHP can't get the HTTP_REFERER if the HTTP Request is sent from IE5.0, although the HTTP Referer has been sent from IE5.0 actually.

[deleted]

"Our clients pay for us, so will our clients really do this?"

Hold on, the fact that your clients pay for your service does not mean you can do what you like with it. In fact, it gives your clients the right to demand that you keep things the way they are, or change it to their advantage.

Remember, you are offering a service, and you are not the only one. If you stop supporting their browser, they could decide to simply move to another company still does.

I don't think many people will object againt having to send the referer, but it is just one more thing you 'demand' from your clients, and limiting your browser support is never a good move.

Anyway.
I don't know whay it does not work with IE5. (probably because IE5 is total crap)
Try looking at 'getallheaders()', you may be able to get it that way.