Re: [PHP] http_referer. what's wrong with that?
At 12:27 AM 1/12/2012, Haluk Karamete wrote: Because I got this echo $_SERVER['HTTP_REFERER']; I end up with this Notice: Undefined index: HTTP_REFERER in D:\Hosting\5291100\html\blueprint\bp_library.php on line 16 die; Now, this is of course after the ?php error_reporting (E_ALL); ? change. One solution is to dodge it by echo @$_SERVER['HTTP_REFERER']; The better way to avoid the error is to do something like echo (isset($_SERVER['HTTP_REFERER']))?$_SERVER['HTTP_REFERER']:'No referrer set'; Which checks to see if it's set before echoing the value. If it's not set, you get a message saying so. Ken -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] HTTP_REFERER with javascript: document.location
On Tue, April 18, 2006 12:49 pm, Yudie wrote: Does anyone know how to resolve my problem I tried to get the referer url with $_SERVER['HTTP_REFERER'] but returns blank when I use javascript: document.location='...' from the previous page. Don't do that. :-) More specifically, no browser is required to provide HTTP_REFERER, so that value is completely un-reliable. If, for some reason, your application NEEDS the preceding page, you'll need to track it in the URL, or in their session, or through some mechanism that YOU control. Rule #1: Never, ever, ever, trust the browser. Or the guy/gal/bot using it, for that matter. Hope that helps, even if it's *so* not what you wanted to hear. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] HTTP_REFERER with javascript: document.location
Thank you for your advise. I guess it's impossible to get reliable value referrer from another site? How about the website statistic engine out there be able to get the referrals address' - Original Message - From: Richard Lynch [EMAIL PROTECTED] To: Yudie [EMAIL PROTECTED] Cc: php-general@lists.php.net Sent: Tuesday, April 18, 2006 4:16 PM Subject: Re: [PHP] HTTP_REFERER with javascript: document.location On Tue, April 18, 2006 12:49 pm, Yudie wrote: Does anyone know how to resolve my problem I tried to get the referer url with $_SERVER['HTTP_REFERER'] but returns blank when I use javascript: document.location='...' from the previous page. Don't do that. :-) More specifically, no browser is required to provide HTTP_REFERER, so that value is completely un-reliable. If, for some reason, your application NEEDS the preceding page, you'll need to track it in the URL, or in their session, or through some mechanism that YOU control. Rule #1: Never, ever, ever, trust the browser. Or the guy/gal/bot using it, for that matter. Hope that helps, even if it's *so* not what you wanted to hear. -- Like Music? http://l-i-e.com/artists.htm -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.385 / Virus Database: 268.4.3/317 - Release Date: 4/18/2006 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] HTTP_REFERER with javascript: document.location
Probably uses the same thing you're trying to use, which is NOT reliable. Works for most browsers in most situations, but not reliably. Walking through your web access logs can also sometimes use heuristics regarding time and IP address to guess which users are unique or not, but they are not really accurate. Just guesses. Websites that claim # unique visitors are either: A) Guessing B) Requiring a login If it's A, and you want to compare 2 sites, and both sites aren't using the same methodology to determine unique visitor your statistics have to be taken with a huge grain of salt... There is no magical solution out there that any log analysis website statistic engine is using -- It's all assuming the browsers aren't lying (and some of them are) and guesswork. Again I say: If you NEED to know the REFERER for sure, then YOU have to track it. Nobody will do it for you. If you don't really care and just want a guess then you can use REFERER. On Tue, April 18, 2006 5:01 pm, Yudie wrote: Thank you for your advise. I guess it's impossible to get reliable value referrer from another site? How about the website statistic engine out there be able to get the referrals address' - Original Message - From: Richard Lynch [EMAIL PROTECTED] To: Yudie [EMAIL PROTECTED] Cc: php-general@lists.php.net Sent: Tuesday, April 18, 2006 4:16 PM Subject: Re: [PHP] HTTP_REFERER with javascript: document.location On Tue, April 18, 2006 12:49 pm, Yudie wrote: Does anyone know how to resolve my problem I tried to get the referer url with $_SERVER['HTTP_REFERER'] but returns blank when I use javascript: document.location='...' from the previous page. Don't do that. :-) More specifically, no browser is required to provide HTTP_REFERER, so that value is completely un-reliable. If, for some reason, your application NEEDS the preceding page, you'll need to track it in the URL, or in their session, or through some mechanism that YOU control. Rule #1: Never, ever, ever, trust the browser. Or the guy/gal/bot using it, for that matter. Hope that helps, even if it's *so* not what you wanted to hear. -- Like Music? http://l-i-e.com/artists.htm -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.385 / Virus Database: 268.4.3/317 - Release Date: 4/18/2006 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] $HTTP_REFERER
Its possible norton firewall OR your browser is altering the headers. how are you redirecting, norton may not allow for some kind of redirects either. Try turning norton off, and visiting the page :) Jason Shaun [EMAIL PROTECTED] wrote: Hi, I seem to have problems redirecting pages when I view my site using my laptop, the only difference is that my laptop has Norton Firewall installed, can this interfere with the $HTTP_REFERER variable and if so is there a more reliable alternative? Thanks for your help -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] $HTTP_REFERER
Shaun wrote: Hi, I seem to have problems redirecting pages when I view my site using my laptop, the only difference is that my laptop has Norton Firewall installed, can this interfere with the $HTTP_REFERER variable and if so is there a more reliable alternative? Many firewalls and proxies can filter out referer information so it's not likely to be reliable. Referer details can also be forged. Thanks for your help -- Raditha Dissanayake. http://www.radinks.com/sftp/ | http://www.raditha.com/megaupload Lean and mean Secure FTP applet with | Mega Upload - PHP file uploader Graphical User Inteface. Just 128 KB | with progress bar. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] $HTTP_REFERER
Hi Jason, Thanks for your reply, but really I need a solution that will allow me to let users view the site without having to worry about any firewalls they might have installed!!! Jason Davidson [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Its possible norton firewall OR your browser is altering the headers. how are you redirecting, norton may not allow for some kind of redirects either. Try turning norton off, and visiting the page :) Jason Shaun [EMAIL PROTECTED] wrote: Hi, I seem to have problems redirecting pages when I view my site using my laptop, the only difference is that my laptop has Norton Firewall installed, can this interfere with the $HTTP_REFERER variable and if so is there a more reliable alternative? Thanks for your help -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] $HTTP_REFERER
On 05 August 2004 17:18, Shaun wrote: Hi, I seem to have problems redirecting pages when I view my site using my laptop, the only difference is that my laptop has Norton Firewall installed, can this interfere with the $HTTP_REFERER variable Not only can, does! Other firewalls or proxies may alter it, some will simply block it, and anyway it can be forged by the user. Cheers! Mike - Mike Ford, Electronic Information Services Adviser, Learning Support Services, Learning Information Services, JG125, James Graham Building, Leeds Metropolitan University, Headingley Campus, LEEDS, LS6 3QS, United Kingdom Email: [EMAIL PROTECTED] Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] $HTTP_REFERER
Shaun, Jason is suggesting that you turn Norton off to help troubleshoot the problem. In other words, verify that Norton is the problem. Also, people are suggesting that the display of your web pages not depend so significantly on the HTTP_REFERRER variable. Perhaps we can help you come up with a better solution if you tell us what you're trying to accomplish. -Ed -Original Message- From: Shaun [mailto:[EMAIL PROTECTED] Sent: Thursday, August 05, 2004 9:26 AM To: [EMAIL PROTECTED] Subject: Re: [PHP] $HTTP_REFERER Hi Jason, Thanks for your reply, but really I need a solution that will allow me to let users view the site without having to worry about any firewalls they might have installed!!! Jason Davidson [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Its possible norton firewall OR your browser is altering the headers. how are you redirecting, norton may not allow for some kind of redirects either. Try turning norton off, and visiting the page :) Jason Shaun [EMAIL PROTECTED] wrote: Hi, I seem to have problems redirecting pages when I view my site using my laptop, the only difference is that my laptop has Norton Firewall installed, can this interfere with the $HTTP_REFERER variable and if so is there a more reliable alternative? Thanks for your help -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] $HTTP_REFERER
* Thus wrote Shaun: Hi, I seem to have problems redirecting pages when I view my site using my laptop, the only difference is that my laptop has Norton Firewall installed, can this interfere with the $HTTP_REFERER variable and if so is there a more reliable alternative? The reliable way to set yourself up with a self contained referrer, is by using sessions. At the very end of each script can set a session variable something like: $_SESSION['last_page'] = 'http://yadayada'. $_SERVER['REQUEST_URI']; That way during the current request you will know where they were last. There are gotcha's with this, like browser caching and the like. The other alternative is passing the page they are comming from all the time, which can get real ugly. Curt -- First, let me assure you that this is not one of those shady pyramid schemes you've been hearing about. No, sir. Our model is the trapezoid! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] HTTP_REFERER
Steve Douville wrote: I think I'm having a major brain fart here. Is there a $HTTP_REFERER anymore? It doesn't show up as a server variable or anything at all in phpinfo()... using php 4.3.4 Ideas? TIA, Steve It has to be set to show up. -- John C. Nichel KegWorks.com 716.856.9675 [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] HTTP_REFERER
lmao -- uh huh Problem was that I was using a javascript redirect and of course, that doesn't send any value. Found that out just a minute ago. New the stupid variable existed... Think I'll grab the info in js and then redirect it to the php page as part of the query string. Thanks, Steve - Original Message - From: John Nichel [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, June 04, 2004 2:51 PM Subject: Re: [PHP] HTTP_REFERER Steve Douville wrote: I think I'm having a major brain fart here. Is there a $HTTP_REFERER anymore? It doesn't show up as a server variable or anything at all in phpinfo()... using php 4.3.4 Ideas? TIA, Steve It has to be set to show up. -- John C. Nichel KegWorks.com 716.856.9675 [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] HTTP_REFERER ... ?
Curt Zirzow wrote: I guess soon firewall's are going to be pouring you cups of coffee when it gets empty. Curt I hope they offer a Mt. Dew patch. ;) -- John C. Nichel KegWorks.com 716.856.9675 [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] HTTP_REFERER ... ?
[snip]
if ($_SERVER['HTTP_REFERER'] == 'http://www.mysite.com/') {
// Stuff
}
Now why does this not work?
[/snip]
Have you echo'd $_SERVER['HTTP_REFERER'] ?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] HTTP_REFERER ... ?
I found this in the manual:
HTTP_REFERER'
The address of the page (if any) which referred the user agent to the
current page. This is set by the user agent. Not all user agents will set
this, and some provide the ability to modify HTTP_REFERER as a feature. In
short, it cannot really be trusted.
if ($_SERVER['HTTP_REFERER'] == 'http://www.mysite.com/') {
// Stuff
}
Now why does this not work?
I wanna asign varibales based on certain referers...
but this is not working?
Any ideas why?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] HTTP_REFERER ... ?
[EMAIL PROTECTED] wrote:
if ($_SERVER['HTTP_REFERER'] == 'http://www.mysite.com/') {
// Stuff
}
Now why does this not work?
I wanna asign varibales based on certain referers...
but this is not working?
Any ideas why?
What do you get when you echo out $_SERVER['HTTP_REFERER']?
--
John C. Nichel
KegWorks.com
716.856.9675
[EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] HTTP_REFERER ... ?
Sadly, I get nothing...
the other server I'm talking to is owned by our company, it's a Lotus
Domino server...
so in theory, they'll be able to enable this variable to be passed?
John Nichel [EMAIL PROTECTED]
05/05/2004 17:07
To
[EMAIL PROTECTED]
cc
Subject
Re: [PHP] HTTP_REFERER ... ?
[EMAIL PROTECTED] wrote:
if ($_SERVER['HTTP_REFERER'] == 'http://www.mysite.com/') {
// Stuff
}
Now why does this not work?
I wanna asign varibales based on certain referers...
but this is not working?
Any ideas why?
What do you get when you echo out $_SERVER['HTTP_REFERER']?
--
John C. Nichel
KegWorks.com
716.856.9675
[EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
*
The information contained in this e-mail message is intended only for
the personal and confidential use of the recipient(s) named above.
If the reader of this message is not the intended recipient or an agent
responsible for delivering it to the intended recipient, you are hereby
notified that you have received this document in error and that any
review, dissemination, distribution, or copying of this message is
strictly prohibited. If you have received this communication in error,
please notify us immediately by e-mail, and delete the original message.
***
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] HTTP_REFERER ... ?
[EMAIL PROTECTED] wrote: Sadly, I get nothing... the other server I'm talking to is owned by our company, it's a Lotus Domino server... so in theory, they'll be able to enable this variable to be passed? I can never remember one day to the other which it is, but I _think_ it's the browser which sets/sends the REFERER, not the referring server. -- John C. Nichel KegWorks.com 716.856.9675 [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] HTTP_REFERER ... ?
John Nichel wrote: [EMAIL PROTECTED] wrote: Sadly, I get nothing... the other server I'm talking to is owned by our company, it's a Lotus Domino server... so in theory, they'll be able to enable this variable to be passed? I can never remember one day to the other which it is, but I _think_ it's the browser which sets/sends the REFERER, not the referring server. -- John C. Nichel KegWorks.com 716.856.9675 [EMAIL PROTECTED] You should avoid using HTTP_REFERER if at all possible. I found out the hard way that some firewalls will change HTTP_REFERER to HTTP_WEFERER, obfuscate it some other way, or just not set it. This can also be done by the browser in some cases. The following is quoted from a previous post by Chris Shifflet: Referer is just as easy to spoof as the form data you're expecting. HTH. Pablo -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] HTTP_REFERER ... ? OT
[snip] some firewalls will change HTTP_REFERER to HTTP_WEFERER [/snip] That is not a firewall munge, that would be Elmer Fudd's server! ROFLMFAO! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] HTTP_REFERER ... ?
From: Pablo Gosse [EMAIL PROTECTED] The following is quoted from a previous post by Chris Shifflet: Referer is just as easy to spoof as the form data you're expecting. wait, wait, wait... we CAN'T trust form data? Crap... ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] HTTP_REFERER ... ?
John W. Holmes wrote: From: Pablo Gosse [EMAIL PROTECTED] The following is quoted from a previous post by Chris Shifflet: Referer is just as easy to spoof as the form data you're expecting. wait, wait, wait... we CAN'T trust form data? Crap... ---John Holmes... Maybe we CAN trust form data if we DON'T trust Chris. ;) -- John C. Nichel KegWorks.com 716.856.9675 [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] HTTP_REFERER ... ?
* Thus wrote Pablo Gosse ([EMAIL PROTECTED]): John Nichel wrote: [EMAIL PROTECTED] wrote: Sadly, I get nothing... the other server I'm talking to is owned by our company, it's a Lotus Domino server... so in theory, they'll be able to enable this variable to be passed? I can never remember one day to the other which it is, but I _think_ it's the browser which sets/sends the REFERER, not the referring server. You should avoid using HTTP_REFERER if at all possible. I found out the hard way that some firewalls will change HTTP_REFERER to HTTP_WEFERER, obfuscate it some other way, or just not set it. This can also be done by the browser in some cases. I guess soon firewall's are going to be pouring you cups of coffee when it gets empty. Curt -- I used to think I was indecisive, but now I'm not so sure. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] $HTTP_Referer
--- Josephin Tauschinger [EMAIL PROTECTED] wrote: Thank you Chris! No problem. :-) What I did was exactly what Pablo Gosse proposed and, as you stated, it didn't work: input type=hidden name=referrer value=?php echo $_SERVER['HTTP_REFERER']; ? Do you know how I can get my webserver (Apache/Unix) to parse html files for php-scripts? Yes, this can be done, but are you sure this is what you want to do? There are advantages and disadvantages to both. For example, if you have a lot of HTML files, and you tell Apache to treat them as PHP, there will be some work that Apache does for no reason. On the other hand, some people prefer to hide what server-side technologies (such as PHP) that they are using. If this is really what you want to do, try adding this to httpd.conf: AddType application/x-httpd-php .html Then restart your Web server. Alternatively, just use a .php extension for PHP scripts. It is likely that your Web server already knows what to do with these. Hope that helps. Chris = My Blog http://shiflett.org/ HTTP Developer's Handbook http://httphandbook.org/ RAMP Training Courses http://www.nyphp.org/ramp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] $HTTP_Referer
On Thursday, November 06, 2003 10:31 AM, Josephin wrote: snip xy.html ---form.html--formmailer.php want the $HTTP_Referer or HTTP_URI, file only, (of xy.html) --to be forwarded to form.html, --to be converted in a variable, --which is passed on to formmailer.php, which will use it as subject. /snip Hi Josephin. Simply use $_SERVER['HTTP_REFERER'] to populate a hidden field in your form. So, input type=hidden name=referrer value=?php echo $_SERVER['HTTP_REFERER']; ? Cheers, Pablo -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] $HTTP_Referer
--- Josephin [EMAIL PROTECTED] wrote: am a newbie as of yesterday. Welcome! Can't figure out how to get the $HTTP_Referer (own domain) of the page entering my form (html), convert it into a variable which is later passed on to my formmailer.php for the $subject variable. xy.html ---form.html--formmailer.php want the $HTTP_Referer or HTTP_URI, file only, (of xy.html) --to be forwarded to form.html, --to be converted in a variable, --which is passed on to formmailer.php, which will use it as subject. Well, in PHP, you can use $_SERVER['HTTP_REFERER']. However, unless your Web server is configured to treat form.html as a PHP script (which I seriously doubt is the case), you will not have access to this information at that point. So, you can't do what you're describing wihout the original POST request (xy.html - form.html) being to a PHP resource rather than an HTML one. Hope that helps. Chris = My Blog http://shiflett.org/ HTTP Developer's Handbook http://httphandbook.org/ RAMP Training Courses http://www.nyphp.org/ramp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] $HTTP_REFERER / Hijacking
* Thus wrote John Taylor-Johnston ([EMAIL PROTECTED]): The problem is I noticed a friend was getting the hijacking message. I had him clean his cache and reload, but no luck. I wondered why he got that message, so I echoed $HTTP_REFERER to see what his IE6.x was spewing out. The result was: $HTTP_REFERER = Anyone suggest a work around? Another variable maybe? I don't need it, but want that functionality in this counter: if(stristr($HTTP_REFERER,district)) I do need this fucntionality, however, on another site, where two URLS share the same index.html on the same Apache server. One displays info one way for one URL, the other another way for a different URL. The referer isn't gaurenteed to be there, and there really isn't a way around the problem. Ideally, if it's possible, have the user use a server side include instead of javascript. that will gaurentee no hijacking and also the counter still will get displayed even if the end-user has javascript off. Either way keep the referrer checking in there, most people have that setting on so only a select few wouldn't get counted. Curt -- I used to think I was indecisive, but now I'm not so sure. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] HTTP_REFERER reliability
But the manual says that HTTP_REFERER is unreliable, so I'm intrigued to know exactly what the problems are. Any ideas? The HTTP_REFERER field is retrieved from the HTTP Referer: header as used in the HTTP protocol. This field is set entirely by the client browser / application retrieving the data. There is nothing to stop the client from adding malformed, incorrect or spoof data into this field - and thus possibly faking entry to the data you are protecting. You cannot rely on this field to be accurate, correct or even populated. -- Dan Hardiker [EMAIL PROTECTED] ADAM Software Systems Engineer First Creative -- Dan Hardiker [EMAIL PROTECTED] ADAM Software Systems Engineer First Creative -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] HTTP_REFERER reliability
As you are already using sessions, you can store the original page in a session variable rotsky wrote: I have a small login form on the home page of my site. At the moment, when people enter their user details and hit 'send', they go to another page which check their details and, if they are successful, prints a welcome message. The problem is, they are now on this page and have to work their way back to the home page. I can provide a link for this, of course, but that limits the number of pages that can have such a login panel, because I have to hand-code the return link. I've experimented using $_SERVER['HTTP_REFERER'] which seems to work here. If the user enters valid login details, the session vars are set and they are bounced automatically back to the original page - which is fab. But the manual says that HTTP_REFERER is unreliable, so I'm intrigued to know exactly what the problems are. Any ideas? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] HTTP_REFERER reliability
Anyone can send any referer (sic) header to your script. It shouldn't be used for checking if someone is trying to hack the script, but it should be find in your case. rotsky wrote: I've experimented using $_SERVER['HTTP_REFERER'] which seems to work here. If the user enters valid login details, the session vars are set and they are bounced automatically back to the original page - which is fab. But the manual says that HTTP_REFERER is unreliable, so I'm intrigued to know exactly what the problems are. Any ideas? -- The above message is encrypted with double rot13 encoding. Any unauthorized attempt to decrypt it will be prosecuted to the full extent of the law. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] HTTP_REFERER security implications?
- Original Message - From: Tom Woody [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, March 10, 2003 9:53 AM Subject: [PHP] HTTP_REFERER security implications? I am working on a simple authentication script, where the user submits a login and password, the credentials are checked and the user is redirected to another script. The new script checks the HTTP_REFERER and if its the original script it continues, otherwise it stops with a message about being unauthorized. What kind of security implications may I be backing myself into? I want to try and stay away from cookies, and as small as this is I think Session management is a little overkill. The average user isn't going to spend much more than 1 or 2 minutes on the site (not much for them to see or do). I have seen this method used on other sites, but I prefer to check with the experts first. thanks, -- Tom Yes I have read that the HTTP_REFERER can easily be faked by controlling the name on a proxyserver (although I have never done so myself). Once set up all you have to do is post through an idential form and voila, you're in. A good analogy of the level of security we're talking about is a common door lock... enough to keep out the casual individual but a thiefe can enter with little or no trouble. And isn't it the thieves you're worried about? -Kevin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] HTTP_REFERER security implications?
On 10-Mar-2003 Tom Woody wrote: I am working on a simple authentication script, where the user submits a login and password, the credentials are checked and the user is redirected to another script. The new script checks the HTTP_REFERER and if its the original script it continues, otherwise it stops with a message about being unauthorized. What kind of security implications may I be backing myself into? I want to try and stay away from cookies, and as small as this is I think Session management is a little overkill. The average user isn't going to spend much more than 1 or 2 minutes on the site (not much for them to see or do). I have seen this method used on other sites, but I prefer to check with the experts first. If they use a proxy that doesn't send HTTP_REFERER, It'll break things. My numbers say it happens about about 15% of the time: mysql select count(*) from hit where urlid=0; +--+ | count(*) | +--+ |83082 | +--+ 1 row in set (0.53 sec) mysql select count(*) from hit; +--+ | count(*) | +--+ | 541557 | +--+ 1 row in set (0.00 sec) Since you don't want to use sessions, maybe 401 WWW-authenticate method would work better for your application. Regards, -- Don Read [EMAIL PROTECTED] -- It's always darkest before the dawn. So if you are going to steal the neighbor's newspaper, that's the time to do it. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] HTTP_REFERER work without a problem....
On Thursday 16 January 2003 05:38, Scott Fletcher wrote: Or worse, not substituting the characters in the Session ID. Just use the same Session ID. What if there is leftover session file in the /tmp directory of the Unix machine and we're dealing with hundred of users each day. Some of those session files aren't deleted because the user just closed the browser without logging out. It is unfortunate that there is no better solution to this. I've been sort of following this thread and as I understand it you're trying to use HTTP_REFERER to ascertain whether a user has 'logged in'? IE if HTTP_REFERER isn't the login page then they haven't 'logged in'? If that is the case then you should know that this provides no security at all. Use a proper authentication system based on sessions. -- Jason Wong - Gremlins Associates - www.gremlins.biz Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * /* If Robert Di Niro assassinates Walter Slezak, will Jodie Foster marry Bonzo?? */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] HTTP_REFERER work without a problem....
IP address is not an effective solution. Anyone can use a 2nd browser on
the same machine. Also, if for a company with 1000 machine behind the
firewall, they all get one and the same IP address outside the firewall.
Kevin Stone [EMAIL PROTECTED] wrote in message
00a701c2bcdd$316349a0$6601a8c0@kevin">news:00a701c2bcdd$316349a0$6601a8c0@kevin...
You can never fully rely on any information given to you by the browser.
You can't rely it being accurate or even being there at all. What I
suggest
to you is code a solution around the IP address. The IP address of
course,
like any information coming from the client, can be tampered with but more
than likely it's not going to change while the user is browsing your
website. Right? So you just use it as a temporary ID. Log the IP to the
database, track the IP's movements on your website, log those actions to a
database. That's the best way to do it without having to force the user
to
login. If you're concerned about people browsing from network IP then
code
a solution using Sessions and track the session id. And finally if you
need
to know that a client has 'returned' to your website set a cookie on their
computer. I'm sure you'll find ways to elaborate from there. You can do
all of this without requiring the user to login.
-Kevin
- Original Message -
From: Scott Fletcher [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, January 15, 2003 2:07 PM
Subject: Re: [PHP] HTTP_REFERER work without a problem
It's not a PHP bug. Many PHP programmer tried to their best to use
HTTP_REFERER so they can keep track of which webpages on the current
website
did the user last visited. That way, they can keep out the unauthorized
access to the website without first logging in to the website.
Well, my company's website use both SSL and Session ID. They are good
for
starter but they aren't any secure if anyone can make a direct access
without logging in. That's where I use HTTP_REFERER to see what last
page
did he or she visited, if the last page being visited is outside of my
company's website then php moved the end user to the login page. It is
pretty effective.
The common problem with the browsers is that they aren't compactible so
HTTP_REFERER don't alway work right and sometime return a blank if those
three are being used. I had been observing it for a few years. Those
three
are 1) HierMenus, 2) location.replace('') and 3) location.href=''.
When
either one of these are in use, some browsers return with a blank in
HTTP_REFERER.
Cheers
Chris Shiflett [EMAIL PROTECTED] wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
--- Scott Fletcher [EMAIL PROTECTED] wrote:
Here's what I found so interesting
This code, $_SERVER['HTTP_REFERER'] have worked without a
problem when I use the latest Mozilla build. It even work
with the HierMenus,
location.replace('http://whatever.com'),
and location.href = http://whatever.com...
This is a good news for PHP everywhere.
Unfortunately, Internet Explorer still have this
bug...
What bug is that?
Is there a question here somewhere? I think I am having a
hard time interpreting it.
Chris
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] HTTP_REFERER work without a problem....
--- Scott Fletcher [EMAIL PROTECTED] wrote:
Here's what I found so interesting
This code, $_SERVER['HTTP_REFERER'] have worked without a
problem when I use the latest Mozilla build. It even work
with the HierMenus,
location.replace('http://whatever.com'),
and location.href = http://whatever.com...
This is a good news for PHP everywhere.
Unfortunately, Internet Explorer still have this
bug...
What bug is that?
Is there a question here somewhere? I think I am having a
hard time interpreting it.
Chris
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] HTTP_REFERER work without a problem....
It's not a PHP bug. Many PHP programmer tried to their best to use
HTTP_REFERER so they can keep track of which webpages on the current website
did the user last visited. That way, they can keep out the unauthorized
access to the website without first logging in to the website.
Well, my company's website use both SSL and Session ID. They are good for
starter but they aren't any secure if anyone can make a direct access
without logging in. That's where I use HTTP_REFERER to see what last page
did he or she visited, if the last page being visited is outside of my
company's website then php moved the end user to the login page. It is
pretty effective.
The common problem with the browsers is that they aren't compactible so
HTTP_REFERER don't alway work right and sometime return a blank if those
three are being used. I had been observing it for a few years. Those three
are 1) HierMenus, 2) location.replace('') and 3) location.href=''. When
either one of these are in use, some browsers return with a blank in
HTTP_REFERER.
Cheers
Chris Shiflett [EMAIL PROTECTED] wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
--- Scott Fletcher [EMAIL PROTECTED] wrote:
Here's what I found so interesting
This code, $_SERVER['HTTP_REFERER'] have worked without a
problem when I use the latest Mozilla build. It even work
with the HierMenus,
location.replace('http://whatever.com'),
and location.href = http://whatever.com...
This is a good news for PHP everywhere.
Unfortunately, Internet Explorer still have this
bug...
What bug is that?
Is there a question here somewhere? I think I am having a
hard time interpreting it.
Chris
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] HTTP_REFERER work without a problem....
That wouldn't work if there is already a Session ID, so that's where
HTTP_REFERER come into play.
Try it out by logging to any webpages with Session ID. Then copy the URL
address with the Session ID already there. Paste it into an email and send
it to a different computer. On the new computer, substitute a couple of
alpha-numeric characters with a different one. Like replace any of the 5
characters with a different 5 characters. Finally, copy the URL address
with the alter Session ID and paste it into the URL address of a browser and
press enter. You'll find yourself being able to access the website without
logging in. The $_SESSION data would not exist but it gave the hacker what
they need to break in and hacker aren't pretty dumb, they can figure out to
make it work along the way.
What so ironic is that the SSL can be established anyway.
Paul Roberts [EMAIL PROTECTED] wrote in message
021c01c2bcda$d007cde0$28ef86d9@laptop1">news:021c01c2bcda$d007cde0$28ef86d9@laptop1...
try looking at sessions,
if they don't have a login session id send them to the login page otherwise
they are logged in so let them see the page.
works for me
Best Wishes Happy New Year
Paul Roberts
[EMAIL PROTECTED]
- Original Message -
From: Scott Fletcher [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, January 15, 2003 9:07 PM
Subject: Re: [PHP] HTTP_REFERER work without a problem
It's not a PHP bug. Many PHP programmer tried to their best to use
HTTP_REFERER so they can keep track of which webpages on the current website
did the user last visited. That way, they can keep out the unauthorized
access to the website without first logging in to the website.
Well, my company's website use both SSL and Session ID. They are good for
starter but they aren't any secure if anyone can make a direct access
without logging in. That's where I use HTTP_REFERER to see what last page
did he or she visited, if the last page being visited is outside of my
company's website then php moved the end user to the login page. It is
pretty effective.
The common problem with the browsers is that they aren't compactible so
HTTP_REFERER don't alway work right and sometime return a blank if those
three are being used. I had been observing it for a few years. Those three
are 1) HierMenus, 2) location.replace('') and 3) location.href=''. When
either one of these are in use, some browsers return with a blank in
HTTP_REFERER.
Cheers
Chris Shiflett [EMAIL PROTECTED] wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
--- Scott Fletcher [EMAIL PROTECTED] wrote:
Here's what I found so interesting
This code, $_SERVER['HTTP_REFERER'] have worked without a
problem when I use the latest Mozilla build. It even work
with the HierMenus,
location.replace('http://whatever.com'),
and location.href = http://whatever.com...
This is a good news for PHP everywhere.
Unfortunately, Internet Explorer still have this
bug...
What bug is that?
Is there a question here somewhere? I think I am having a
hard time interpreting it.
Chris
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] HTTP_REFERER work without a problem....
--- Scott Fletcher [EMAIL PROTECTED] wrote: Many PHP programmer tried to their best to use HTTP_REFERER so they can keep track of which webpages on the current website did the user last visited. I think I see what you are referring to now. The reason that many people (myself included) discourage the use of REFERER for this purpose is not only because support is inconsistent, but also because it is not required that a Web client send this header. In fact, the only required header in the latest version of HTTP (1.1) is the Host header. So, it really boils down to not depending on something that is not guaranteed to be there. More reliable solutions usually incorporate some sort of shared secret between the client and the server. For example, say you have a form located at foo.php that submits to bar.php. Rather than checking the REFERER on bar.php to make sure it is foo.php, it is better to include a hidden form field on foo.php that is dynamically generated and stored in the user's session. You can be assured that the hidden form field will be included with the other form elements, so you can compare it to the value stored in the user's session and not run the risk of it being absent or blank (for the legitimate user, the good guy). Of course, this is just one example of many, but the point is that you need to rely on something that is reliable. :-) Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] HTTP_REFERER work without a problem....
I agree with you on that. Having something that is reliable is not a bad idea. Anyway, this HTTP_REFERER script have been in use for 4 years and we sometime very little have problem with it. It the HTTP_REFERER doesn't work then all the user will experienced is a direct access attempt and be brought to the login page, it's part of the fail-safe code. I haven't come up with an alternative to HTTP_REFERER that work even better than this. So, better safe than sorry. :-) Chris Shiflett [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... --- Scott Fletcher [EMAIL PROTECTED] wrote: Many PHP programmer tried to their best to use HTTP_REFERER so they can keep track of which webpages on the current website did the user last visited. I think I see what you are referring to now. The reason that many people (myself included) discourage the use of REFERER for this purpose is not only because support is inconsistent, but also because it is not required that a Web client send this header. In fact, the only required header in the latest version of HTTP (1.1) is the Host header. So, it really boils down to not depending on something that is not guaranteed to be there. More reliable solutions usually incorporate some sort of shared secret between the client and the server. For example, say you have a form located at foo.php that submits to bar.php. Rather than checking the REFERER on bar.php to make sure it is foo.php, it is better to include a hidden form field on foo.php that is dynamically generated and stored in the user's session. You can be assured that the hidden form field will be included with the other form elements, so you can compare it to the value stored in the user's session and not run the risk of it being absent or blank (for the legitimate user, the good guy). Of course, this is just one example of many, but the point is that you need to rely on something that is reliable. :-) Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] HTTP_REFERER work without a problem....
Or worse, not substituting the characters in the Session ID. Just use the
same Session ID. What if there is leftover session file in the /tmp
directory of the Unix machine and we're dealing with hundred of users each
day. Some of those session files aren't deleted because the user just
closed the browser without logging out. It is unfortunate that there is no
better solution to this.
Scott Fletcher [EMAIL PROTECTED] wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
That wouldn't work if there is already a Session ID, so that's where
HTTP_REFERER come into play.
Try it out by logging to any webpages with Session ID. Then copy the URL
address with the Session ID already there. Paste it into an email and
send
it to a different computer. On the new computer, substitute a couple of
alpha-numeric characters with a different one. Like replace any of the 5
characters with a different 5 characters. Finally, copy the URL address
with the alter Session ID and paste it into the URL address of a browser
and
press enter. You'll find yourself being able to access the website
without
logging in. The $_SESSION data would not exist but it gave the hacker
what
they need to break in and hacker aren't pretty dumb, they can figure out
to
make it work along the way.
What so ironic is that the SSL can be established anyway.
Paul Roberts [EMAIL PROTECTED] wrote in message
021c01c2bcda$d007cde0$28ef86d9@laptop1">news:021c01c2bcda$d007cde0$28ef86d9@laptop1...
try looking at sessions,
if they don't have a login session id send them to the login page
otherwise
they are logged in so let them see the page.
works for me
Best Wishes Happy New Year
Paul Roberts
[EMAIL PROTECTED]
- Original Message -
From: Scott Fletcher [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, January 15, 2003 9:07 PM
Subject: Re: [PHP] HTTP_REFERER work without a problem
It's not a PHP bug. Many PHP programmer tried to their best to use
HTTP_REFERER so they can keep track of which webpages on the current
website
did the user last visited. That way, they can keep out the unauthorized
access to the website without first logging in to the website.
Well, my company's website use both SSL and Session ID. They are good for
starter but they aren't any secure if anyone can make a direct access
without logging in. That's where I use HTTP_REFERER to see what last page
did he or she visited, if the last page being visited is outside of my
company's website then php moved the end user to the login page. It is
pretty effective.
The common problem with the browsers is that they aren't compactible so
HTTP_REFERER don't alway work right and sometime return a blank if those
three are being used. I had been observing it for a few years. Those
three
are 1) HierMenus, 2) location.replace('') and 3) location.href=''. When
either one of these are in use, some browsers return with a blank in
HTTP_REFERER.
Cheers
Chris Shiflett [EMAIL PROTECTED] wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
--- Scott Fletcher [EMAIL PROTECTED] wrote:
Here's what I found so interesting
This code, $_SERVER['HTTP_REFERER'] have worked without a
problem when I use the latest Mozilla build. It even work
with the HierMenus,
location.replace('http://whatever.com'),
and location.href = http://whatever.com...
This is a good news for PHP everywhere.
Unfortunately, Internet Explorer still have this
bug...
What bug is that?
Is there a question here somewhere? I think I am having a
hard time interpreting it.
Chris
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] HTTP_REFERER work without a problem....
[EMAIL PROTECTED] (Chris Shiflett) wrote: --- Scott Fletcher [EMAIL PROTECTED] wrote: Many PHP programmer tried to their best to use HTTP_REFERER so they can keep track of which webpages on the current website did the user last visited. I think I see what you are referring to now. The reason that many people (myself included) discourage the use of REFERER for this purpose is not only because support is inconsistent, but also because it is not required that a Web client send this header. In fact, the only required header in the latest version of HTTP (1.1) is the Host header. So, it really boils down to not depending on something that is not guaranteed to be there. It even dangerous to rely on HTTP_REFERER because it's not under your control. The client could set the HTTP headers itself (e.g. a php script using CURL, www.php.net/curl). You should at least combine the REFERER check with a valid session on your host or look for a corresponding log entry or something alike. Christoph -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] HTTP_REFERER work without a problem....
--- Scott Fletcher [EMAIL PROTECTED] wrote: Or worse, not substituting the characters in the Session ID. Just use the same Session ID. What if there is leftover session file in the /tmp directory of the Unix machine and we're dealing with hundred of users each day. Some of those session files aren't deleted because the user just closed the browser without logging out. It is unfortunate that there is no better solution to this. Actually, there is a better solution. Your observations are perfectly valid and correct. If the session ID is given complete trust (which is the case for many people, unfortunately, especially with the default configuration for sessions), then there are many security risks. Given your observations, I think you are on the right track to developing more secure state and session management mechanisms yourself. I am actually considering submitting a proposal to speak about this topic (well, Web application security with PHP in general) at OSCON and perhaps the PHP Conference coming in May. The reason that many people are hesitant to offer solutions is because no solution is perfectly secure. There are, however, many reliable methods you can use that will not adversely affect your legitimate users in any way and make life a bit harder for the bad guys. A common example I give just to get you going is that you can store the user agent in a session variable. While all Web clients may not send the User-Agent header, you can be assured that those that do will send the same User-Agent header for every request. Verifying this against the session variable can at least prevent the copy/paste from an email attack that you mentioned unless the attacker replicates the exact same User-Agent header. Anyway, you have very valid points. Hopefully I will get the chance to speak about this in more depth at a conference soon, and if not, I will probably at least write an article on it. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] HTTP_REFERER work without a problem....
That sound wonderful!!! I'm looking forward to hearing about this in the near future... Thanks, Scott F. Chris Shiflett [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... --- Scott Fletcher [EMAIL PROTECTED] wrote: Or worse, not substituting the characters in the Session ID. Just use the same Session ID. What if there is leftover session file in the /tmp directory of the Unix machine and we're dealing with hundred of users each day. Some of those session files aren't deleted because the user just closed the browser without logging out. It is unfortunate that there is no better solution to this. Actually, there is a better solution. Your observations are perfectly valid and correct. If the session ID is given complete trust (which is the case for many people, unfortunately, especially with the default configuration for sessions), then there are many security risks. Given your observations, I think you are on the right track to developing more secure state and session management mechanisms yourself. I am actually considering submitting a proposal to speak about this topic (well, Web application security with PHP in general) at OSCON and perhaps the PHP Conference coming in May. The reason that many people are hesitant to offer solutions is because no solution is perfectly secure. There are, however, many reliable methods you can use that will not adversely affect your legitimate users in any way and make life a bit harder for the bad guys. A common example I give just to get you going is that you can store the user agent in a session variable. While all Web clients may not send the User-Agent header, you can be assured that those that do will send the same User-Agent header for every request. Verifying this against the session variable can at least prevent the copy/paste from an email attack that you mentioned unless the attacker replicates the exact same User-Agent header. Anyway, you have very valid points. Hopefully I will get the chance to speak about this in more depth at a conference soon, and if not, I will probably at least write an article on it. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] HTTP_REFERER work without a problem....
I understand. To combine the Session Id with HTTP_REFERER sound good but it didn't work too well. I'm still open to idea... :-) Fortunately, not many people know it because it is done behind the scene, so they'll have a lot more to guess about what's working behind the scene. Christoph Grottolo [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... [EMAIL PROTECTED] (Chris Shiflett) wrote: --- Scott Fletcher [EMAIL PROTECTED] wrote: Many PHP programmer tried to their best to use HTTP_REFERER so they can keep track of which webpages on the current website did the user last visited. I think I see what you are referring to now. The reason that many people (myself included) discourage the use of REFERER for this purpose is not only because support is inconsistent, but also because it is not required that a Web client send this header. In fact, the only required header in the latest version of HTTP (1.1) is the Host header. So, it really boils down to not depending on something that is not guaranteed to be there. It even dangerous to rely on HTTP_REFERER because it's not under your control. The client could set the HTTP headers itself (e.g. a php script using CURL, www.php.net/curl). You should at least combine the REFERER check with a valid session on your host or look for a corresponding log entry or something alike. Christoph -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] HTTP_REFERER work without a problem....
Here's one way I can do, I checked the session id in the HTTP_REFERER and grab the existing session id in the database table. This is still not an effective method. Christoph Grottolo [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... [EMAIL PROTECTED] (Chris Shiflett) wrote: --- Scott Fletcher [EMAIL PROTECTED] wrote: Many PHP programmer tried to their best to use HTTP_REFERER so they can keep track of which webpages on the current website did the user last visited. I think I see what you are referring to now. The reason that many people (myself included) discourage the use of REFERER for this purpose is not only because support is inconsistent, but also because it is not required that a Web client send this header. In fact, the only required header in the latest version of HTTP (1.1) is the Host header. So, it really boils down to not depending on something that is not guaranteed to be there. It even dangerous to rely on HTTP_REFERER because it's not under your control. The client could set the HTTP headers itself (e.g. a php script using CURL, www.php.net/curl). You should at least combine the REFERER check with a valid session on your host or look for a corresponding log entry or something alike. Christoph -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] HTTP_REFERER?
Weird. When I plugged them straight into the query, it worked. Thanks again for the help. Solved a major problem for me. -Original Message- From: listman@evol [mailto:listman@evol]On Behalf Of Keith Vance Sent: Wednesday, August 28, 2002 10:51 PM To: Lon Lentz Subject: RE: [PHP] HTTP_REFERER? Why not just always use the $_SERVER variable? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] HTTP_REFERER
Have you checked that your user is indeed coming from
http://www.somedomain.com/index.html;? There are lots of other ways
to load your homepage:
http://xxx.xxx.xxx.xxx/index.html; (ip address, not domain)
http://www.somedomain.com/;
http://www.somedomain.com;
http://xxx.xxx.xxx.xxx;
http://xxx.xxx.xxx.xxx/;
You'll have to check for all of them
-Dan
--- tom hilton [EMAIL PROTECTED] wrote:
Hi, I am using the $HTTP_REFERER variable to ensure that users of a
website
are getting to a certain page through a link from the index.html
page, and
not going straight to the page through a bookmark.
$page=$HTTP_REFERER;
if ($page!=http://www.somedomain.com/index.html;)
{
echo h3Please log in through the home page/h3br;
echo META HTTP-EQUIV='Refresh'
CONTENT='1;URL=http://www.somedomain.com/index.html';
}
This is working fine for most users, but one user is telling me that
even
though she is following the link from the index page, she's still
getting
the error message, and are being bounced back to the index page.
She is
using Internet Explorer 6.0. Are there any security or privacy
settings
that might restrict use of the $HTTP_REFERER variable? Or is there a
better
way to make sure users follow links to pages, rather than bookmarking
and
going straight to a page? Thanks for any help you can give me.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
__
Do You Yahoo!?
Yahoo! Movies - coverage of the 74th Academy Awards®
http://movies.yahoo.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] HTTP_REFERER
On Monday, March 25, 2002, at 02:52 PM, tom hilton wrote: This is working fine for most users, but one user is telling me that even though she is following the link from the index page, she's still getting the error message, and are being bounced back to the index page. She is using Internet Explorer 6.0. Are there any security or privacy settings that might restrict use of the $HTTP_REFERER variable? Or is there a better way to make sure users follow links to pages, rather than bookmarking and going straight to a page? Thanks for any help you can give me. I'm not sure about Internet Explorer 6's use of HTTP headers, but the referer header in the HTTP protocol is not required by any user agent. Legally, IE6 can choose not to send it, and still be in complete compliance with HTTP. There may not be an easy way to do what you want. One possible solution is to make the typical calls itself PHP page and display certain content based on certain variables being present, and use POST variables so that they do not appear in the URL. The problem with this is that it requires a ton of code to wrap your content in the 'protective' index.html layer, and also you would have to use form buttons rather than hyperlinks (unless you used post_to_host(), see archives if you're not sure what I mean). Erik Erik Price Web Developer Temp Media Lab, H.H. Brown [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] http_referer
Try accessing the variable: $HTTP_REFERER without specifying the array. it works for me -Original Message- From: tom hilton [mailto:[EMAIL PROTECTED]] Sent: Monday, February 18, 2002 12:25 PM To: [EMAIL PROTECTED] Subject: [PHP] http_referer Hi, I am trying to pull http_referer info on users accessing a certain page, but am not having any luck. When I run phpinfo(), the referer information is listed with all the other server variables, but when I pull a list of the server variables as an array and print them, they all appear except for the http_referer variable. Does anyone have any idea of why this one variable might not be available as part of the server array, put is accessible by phpinfo()? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] http_referer
In PHP4.1 or later, try: echo $_SERVER['HTTP_REFERER']; Erik Erik Price Web Developer Temp Media Lab, H.H. Brown [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] HTTP_REFERER
hi reasons why it couldn't be set: the url was typed directly some browser don't send referer information other (like opera 5.12) send a wrong value you shouldn't rely on HTTP_REFERER too much regards hassan el forkani http://WarmAfrica.com 23/11/2001 11:55:04, Jordan Elver [EMAIL PROTECTED] wrote: Hi, I'm writing a 404 handler and in order to report the item that was requested I was trying to get the value of HTTP_REFERER. But, it does seem to get set. Does anyone know how to find thi value? Is there a reason why it would not get set? TIA, Jord -- Jordan Elver Web Developer http://www.theinternetone.co.uk Carpe Aptenodytes! (Seize the Penguins!) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] HTTP_REFERER
Hi Jord, You don't need to get HTTP_REFERER, in order to know what the client requested! And every browser stores some other info in HTTP_REFERER... The filename that was reqested is stored in $REQUEST_URI Best, Sebastian Hi, I'm writing a 404 handler and in order to report the item that was requested I was trying to get the value of HTTP_REFERER. But, it does seem to get set. Does anyone know how to find thi value? Is there a reason why it would not get set? TIA, -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] HTTP_REFERER
Hi, I'm writing a 404 handler and in order to report the item that was requested I was trying to get the value of HTTP_REFERER. But, it does seem to get set. Does anyone know how to find thi value? Is there a reason why it would not get set? Hi I think you're looking for this $HTTP_SERVER_VARS[REQUEST_URI] M: -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] HTTP_REFERER
On Friday 23 November 2001 13:39, you wrote: Are you using it as $HTTP_SERVER_VARS[REQUEST_URI] or $REQUEST_URI ? Well, I think I'm buggered then because i just tried to use both and they both report the same value :-( Back to the drawing board. I had the same problem using the latter. The former displays properly. Other than that I can't remember if I changed anything else M: -- Jordan Elver Web Developer http://www.theinternetone.co.uk Unix is not a A-ha experience, it is more of a holy-shit experience. --- Colin McFadyen in alt.folklore.computers -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] HTTP_REFERER
Hi, When I use HTTP_REFERER it gives me the name of the php script which is handling the 404's?! Should that happen? Jord On Friday 23 November 2001 11:41, you wrote: Hi, I'm writing a 404 handler and in order to report the item that was requested I was trying to get the value of HTTP_REFERER. But, it does seem to get set. Does anyone know how to find thi value? Is there a reason why it would not get set? Hi I think you're looking for this $HTTP_SERVER_VARS[REQUEST_URI] M: -- Jordan Elver Web Developer http://www.theinternetone.co.uk testing? What's that? If it compiles, it is good, if it boots up it is perfect. --- Linus Torvalds -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] HTTP_REFERER
Hi, When I use HTTP_REFERER it gives me the name of the php script which is handling the 404's?! Should that happen? As someone put in one of the other reply's don't rely on HTTP_REFERER. This is set (or not) by the browser and they all have different ideas about they want to play ball with it. You said you wanted to find the url they were trying to get at. Use the variable I told you about before to get his Regards M: Jord On Friday 23 November 2001 11:41, you wrote: Hi, I'm writing a 404 handler and in order to report the item that was requested I was trying to get the value of HTTP_REFERER. But, it does seem to get set. Does anyone know how to find thi value? Is there a reason why it would not get set? Hi I think you're looking for this $HTTP_SERVER_VARS[REQUEST_URI] M: -- Jordan Elver Web Developer http://www.theinternetone.co.uk testing? What's that? If it compiles, it is good, if it boots up it is perfect. --- Linus Torvalds -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] HTTP_REFERER
at our site, we built the error trapping that you are wanting to build. here is a snippet of what we used. PSID: (. PSID .)\n. Page: ($GLOBALS[REQUEST_URI])\n. As refered from: ($GLOBALS[HTTP_REFERER])\n. Browser Platform: ($GLOBALS[HTTP_USER_AGENT])\n. User IP: '. gethostbyaddr($GLOBALS[REMOTE_ADDR]) .' ($GLOBALS[REMOTE_ADDR])\n. hope this helps Jim - Original Message - From: Jordan Elver [EMAIL PROTECTED] To: PHP General Mailing List [EMAIL PROTECTED] Sent: Friday, November 23, 2001 2:55 AM Subject: [PHP] HTTP_REFERER Hi, I'm writing a 404 handler and in order to report the item that was requested I was trying to get the value of HTTP_REFERER. But, it does seem to get set. Does anyone know how to find thi value? Is there a reason why it would not get set? TIA, Jord -- Jordan Elver Web Developer http://www.theinternetone.co.uk Carpe Aptenodytes! (Seize the Penguins!) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] $HTTP_REFERER
like
if ($HTTP_REFERER == certain host) {
do finalise code
}
On Fri, 17 Aug 2001, Erich Zigler wrote:
I am working on the last half of an Online Signup page for an ISP.
There is a local .php page on the webserver that actually finalizes the
addition of the user, but ONLY if $HTTP_REFERER is from a certain host.
I was wondering what you guys think of doing it this way?
Any advice would be appreciated. Thank you.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] $HTTP_REFERER
Sorry missed a bit you'll just need to ereg out the hostname from HTTP_REFERER - take everything after http:// and before /... Nick. On Fri, 17 Aug 2001, Erich Zigler wrote: I am working on the last half of an Online Signup page for an ISP. There is a local .php page on the webserver that actually finalizes the addition of the user, but ONLY if $HTTP_REFERER is from a certain host. I was wondering what you guys think of doing it this way? Any advice would be appreciated. Thank you. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] $HTTP_REFERER
Probably best to read stuff first ;) try preg_match preg_match(/^(http:\/\/)?([\/]+)/i, $HTTP_REFERER, $hostname); the hostname will be in $hostname[2] Hope it helps. On Fri, 17 Aug 2001, Nick Davies wrote: Sorry missed a bit you'll just need to ereg out the hostname from HTTP_REFERER - take everything after http:// and before /... Nick. On Fri, 17 Aug 2001, Erich Zigler wrote: I am working on the last half of an Online Signup page for an ISP. There is a local .php page on the webserver that actually finalizes the addition of the user, but ONLY if $HTTP_REFERER is from a certain host. I was wondering what you guys think of doing it this way? Any advice would be appreciated. Thank you. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] $HTTP_REFERER
On Fri 17 Aug 2001, Nick Davies wrote: Probably best to read stuff first ;) try preg_match preg_match(/^(http:\/\/)?([\/]+)/i, $HTTP_REFERER, $hostname); the hostname will be in $hostname[2] Hope it helps. Thanks. But is using $HTTP_REFERER the most secure way of doing it? Or can the $HTTP_REFERER be forged and thus gaining unauthorized access to the forms? -- Erich Zigler A sick mind is not necessarily the sign of a neat desk. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] $HTTP_REFERER
According to the spec: $HTTP_REFERER The address of the page (if any) which referred the browser to the current page. This is set by the user's browser; not all browsers will set this. So if it is set by the user's browser, it can be changed, or shut off. I believe there are programs out there that block that env var so people do not leave tracks within a site as well. Look at tucows.com for such programs. Typically, if a user went through 5 pages to sign up and is on the sixth page, I wouldn't worry about someone forging that too much. I'd be more worried about referrer not being set and then not allowing them to signup because of that. You can always set a variable like $PAGENUM in your code on the second last page and session register it, then check for it on the last page. If it exists, do your thing and destroy the session. If it does not exist, you can take the desired action. Combine this with the HTTP_REFERER and I would think you should be fairly safebut remember, the HTTP_REFERER could be empty, whereas the session var should be trusted as it is coming from your own site. On Friday 17 August 2001 09:34 am, you wrote: Thanks. But is using $HTTP_REFERER the most secure way of doing it? Or can the $HTTP_REFERER be forged and thus gaining unauthorized access to the forms? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] $HTTP_REFERER
Hello, i'm not sure i would worry too much about the referrer.. if your 'add account' script has decent error checking, it shouldn't matter if the user creates their own form. -jesse -- Jesse Arnett [EMAIL PROTECTED] SISCOM Inc http://www.siscom.net/ Southern Ohio's Superior Internet Service Provider Ph: 937.222.8150.413 - Original Message - From: Erich Zigler [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, August 17, 2001 12:13 PM Subject: [PHP] $HTTP_REFERER I am working on the last half of an Online Signup page for an ISP. There is a local .php page on the webserver that actually finalizes the addition of the user, but ONLY if $HTTP_REFERER is from a certain host. I was wondering what you guys think of doing it this way? Any advice would be appreciated. Thank you. -- Erich Zigler -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] HTTP_REFERER is missing in SSL
I have a frameset that runs on a SSL enabled server that has two frames in it. One of the source is the local machine and the other one is a (outsourced asp !!) script in another machine without SSL. The non SSL one requires HTTP_REFERER to make sure it was hit from the authorized server. This works fine with Netscape but not with IE 5. HTTP_REFERER just wasn't defined. Any explanation? Bug in IE? PHP doesn't even enter the picture here. The HTTP_REFERER variable is defined by the web server if that information is provided by the browser. Keep in mind that there is absolutely no guarantee that the browser will ever provide this information. Building anything that relies on this is a mistake. -Rasmus -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] HTTP_REFERER is missing in SSL
Bug in IE? PHP doesn't even enter the picture here. The HTTP_REFERER variable is defined by the web server if that information is provided by the browser. No, it's not really a PHP thing, it's more HTML stuff. I suspect that the error comes because one of the server is not running SSL, so IE doesn't pass HTTP_REFERER to it. I wonder if someone has any authoritative knowledge on this problem. Keep in mind that there is absolutely no guarantee that the browser will ever provide this information. Building anything that relies on this is a mistake. Yeah, I know, but this is an outsourced script that I have no controll off. -Rasmus Ezra Nugroho Web/Database Application Specialist Goshen College ITS Phone: (219) 535-7706 Don't be humble, you're not that great. -- Golda Meir -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] HTTP_REFERER doesn't work with redirects...?
HTTP_REFERER work ONLY clicking a link which brings you to a page in the
SAME window.
this value comes from your browser and it is very unreliable
Sincerely,
Maxim Maletsky
Founder, Chief Developer
PHPBeginner.com (Where PHP Begins)
[EMAIL PROTECTED]
www.phpbeginner.com
-Original Message-
From: Dhaval Desai [mailto:[EMAIL PROTECTED]]
Sent: Thursday, February 22, 2001 12:09 AM
To: [EMAIL PROTECTED]
Subject: [PHP] HTTP_REFERER doesn't work with redirects...?
Hi!
I just want to get the URL of the page that is
redirecting to the other page.
For example..
I have two files
login.php
something.php
Something.php has a line saying:
?php
header ("Location: ./login.php");
?
So When I open Something.php it automatically takes me
to login.php. On the login.php page I have the
following lines
?php
echo $HTTP_REFERER;
?
It doesn't seem to work. I think the problem is
because I don't click and go to something.php. I am
getting redirected to the file./ SO is there nay other
way I can get the URL of the file Which is
redirecting.
Thanx a lot
Cheers!~
Dhaval Desai
__
Do You Yahoo!?
Yahoo! Auctions - Buy the things you want at great prices!
http://auctions.yahoo.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] HTTP_REFERER vs. session_whatever() vs. header()
//echo $test."br"; "//" . Without the remark, the code work but I get the error message stating Warning: Cannot add header information - headers already sent by (output started at test.php) in test.php on line ** Yes. A header is called a header because it comes out ahead of the actual page content. So what your browser *REALLY* sees is stuff like this: Content-type: text/html Content-length: 1035 Expiration: Jan 14 2001 20:46:37 GMT Cookie: user_id "a7fjeju48dj934jdjcu8" HTML BODYtest/BODY /HTML Note the blank line between the headers and the HTML tag. That innocent blank line is very, very significant. It signifies the *END* of the headers and the beginning of the content. So, here's the deal. When you print something out, or have an HTML tag, or have a blank line, PHP has to send that out as part of the Content. Now, in order to do that, PHP has to send out your headers first, then the blank line, then whatever your content is. If you later try to send out a header, using the http://php.net/header function, or http://php.net/setcookie or http://php.net/session-start (sessions use cookies to track users), IT IS TOO LATE. That boat already sailed. Once the headers go out, and the blank line after them, you can't get more headers to be in front of that blank line that signified the end of the headers. When I put in the remark, the 2nd file, test.php couldn't use $GLOBAL["HTTP_REFERER"] because it couldn't find the last file. I was thinking that maybe the HTTP_REFERER couldn't reach the last file because of the way the header work. What exactly are you trying to do with the referer in the 2nd file? Print it? What? Why? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
