https referer


why is it that when the referrer came from a https the $_server['http_referer'] is empty but if it came from http its working? thanks

[eluser]Phil Sturgeon[/eluser]
Must be a security thing? Keeps your online secure history secret from the next server you visit.

[eluser]GSV Sleeper Service[/eluser]
from the PHP manual.

The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.

also, are you using IE?

is there any way i can get http_referer from https? thanks for fast reply

[eluser]GSV Sleeper Service[/eluser]
not reliably, no. some proxies strip out the referer, and you can tell firefox (and possibly other browsers) not to send referers.

ok thanks.

[eluser]Frank Berger[/eluser]
The http RFC states for this:

Clients SHOULD NOT include a Referer header field in a (non-secure) HTTP request if the referring page was transferred with a secure protocol.

see here:

That means that if you switch from a https: link to a http: link, no referer will be set by any browser. Furthermore, in Mozilla based browsers (Netscape, Firefox and so on) it is a configurable setting if referer is set between https: and https: links:

I suppose other clients have similar rules put in, besides the fact that most have the general setting of a referer as a optional setting. I suppose as well that the private/porn modes in Safari, IE8 and Googles new browser wont set a referer as well.

The short and ugly is, as stated above, don't use/rely on referer. I don't think i used that header since like 1999 in any of my applications/websites and was able to do all i needed to do.


[eluser]Colin Williams[/eluser]
Good stuff, Frank. If you need to communicate something from a secured section to a non-secure section, use sessions.

$_SERVER is an array which contain information. This information is related to the headers, paths, and script locations. Entries of the array is created by the web server.Through the use of a command-line tool and IIs HTTP/HTTPS settings are configured. Command-line tool is use when a WCF service is self-hosted.

Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  

  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2020 MyBB Group.