Determining Referer in PHP

Question

What is the most reliable and secure way to determine what page either sent  or called  via AJAX    the current page   I don t want to use the   SERVER  HTTP REFERER    because of the  lack of  reliability  and I need the page being called to only come from requests originating on my site  Edit  I am looking to verify that a script that preforms a series of actions is being called from a page on my website

User · Answer

We have only single option left after reading all the fake referrer problems: i.e. The page we desire to track as referrer should be kept in session, and as ajax called then checking in session if it has referrer page value and doing the action other wise no action.

While on the other hand as he request any different page then make the referrer session value to null.

Remember that session variable is set on desire page request only.

User · Answer

There is no reliable way to check this  It s really under client s hand to tell you where it came from  You could imagine to use cookie or sessions informations put only on some pages of your website  but doing so your would break user experience with bookmarks

User · Answer

The REFERER is sent by the client s browser as part of the HTTP protocol  and is therefore unreliable indeed  It might not be there  it might be forged  you just can t trust it if it s for security reasons   If you want to verify if a request is coming from your site  well you can t  but you can verify the user has been to your site and or is authenticated  Cookies are sent in AJAX requests so you can rely on that

User · Answer

What I have found best is a CSRF token and save it in the session for links where you need to verify the referrer    So if you are generating a FB callback then it would look something like this    token   uniqid mt rand    TRUE     SESSION  token      token   url    http   example com index php token   token      Then the index php will look like this   if empty   GET  token         GET  token         SESSION  token          show 404          Continue with the rest of code   I do know of secure sites that do the equivalent of this for all their secure pages

User · Answer

Using   SERVER  HTTP REFERER       The address of the page  if any  which referred the user agent to the   current page  This is set by the user agent  Not all user agents will   set this  and some provide the ability to modify HTTP REFERER as a   feature  In short  it cannot really be trusted    if   empty   SERVER  HTTP REFERER           header  Location        SERVER  HTTP REFERER       else       header  Location  index php      exit

[php] Determining Referer in PHP

Examples related to php

Examples related to http-referer