SyntaxFix

[php] Determining Referer in PHP

What is the most reliable and secure way to determine what page either sent, or called (via AJAX), the current page. I don't want to use the $_SERVER['HTTP_REFERER'], because of the (lack of) reliability, and I need the page being called to only come from requests originating on my site.

Edit: I am looking to verify that a script that preforms a series of actions is being called from a page on my website.

This question is related to php http-referer

The answer is

There is no reliable way to check this. It's really under client's hand to tell you where it came from. You could imagine to use cookie or sessions informations put only on some pages of your website, but doing so your would break user experience with bookmarks.

What I have found best is a CSRF token and save it in the session for links where you need to verify the referrer.

So if you are generating a FB callback then it would look something like this:

$token = uniqid(mt_rand(), TRUE);
$_SESSION['token'] = $token;
$url = "http://example.com/index.php?token={$token}";

Then the index.php will look like this:

if(empty($_GET['token']) || $_GET['token'] !== $_SESSION['token'])
{
    show_404();
} 

//Continue with the rest of code

I do know of secure sites that do the equivalent of this for all their secure pages.

Using $_SERVER['HTTP_REFERER']

The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.

if (!empty($_SERVER['HTTP_REFERER'])) {
    header("Location: " . $_SERVER['HTTP_REFERER']);
} else {
    header("Location: index.php");
}
exit;

We have only single option left after reading all the fake referrer problems: i.e. The page we desire to track as referrer should be kept in session, and as ajax called then checking in session if it has referrer page value and doing the action other wise no action.

While on the other hand as he request any different page then make the referrer session value to null.

Remember that session variable is set on desire page request only.

Source: Stackoverflow.com

Examples related to php

I am receiving warning in Facebook Application using PHP SDK Pass PDO prepared statement to variables Parse error: syntax error, unexpected [ Preg_match backtrack error Removing "http://" from a string How do I hide the PHP explode delimiter from submitted form results? Problems with installation of Google App Engine SDK for php in OS X Laravel 4 with Sentry 2 add user to a group on Registration php & mysql query not echoing in html with tags? How do I show a message in the foreach loop?

Examples related to http-referer

In what cases will HTTP_REFERER be empty Getting the HTTP Referrer in ASP.NET Get original URL referer with PHP? Determining Referer in PHP

Tags

Google-groups Cobol.net Block-device Accessibility-api Headphones Django-voting Getclientrect Fitness Ios Textmatebundles Lexicon Expression-design Finddialog Diacritics Initializecomponent Jetty Unique-constraint Eclipse-europa Stable-sort Unmanaged Jvlc Memory-access Android-scrollbar Nscoding Spaceship-operator Qpixmap Inflate Winrar Gstring Sql-navigator Homebrew Message Common-tasks 2checkout Esb Fusioncharts Icomparer Icann Deep-copy Generated-sql Commerceserver Selectionchanged Qx11embedcontainer Virtual-copy Formencode Hibernation Mongo-scala-driver Dsss Uibuilder G15 Xml-literals Asp.net-customcontrol Tesla Fortran95 Decompiling Octal Model-checking Rodbc Xbase Scjp Ip-camera Dc Mlint Rokon Slideup Mql Midp Mod-autoindex Ansi-92 Htmlspecialchars Malformedurlexception Cfeclipse Reshape Xmlstreamreader Montecarlo Linefeed Kinect Put Hgserve Nested-includes Static-reflection Xmllist Aspect-ratio Chronometer Multipage Sp-msforeachdb Android-capture Resource-management Ioc-container Submission Bytearrayinputstream Xmltextwriter Managed K2 Middleware Cyanogenmod Outlining B-tree-index Virtual-pc-2007 Pushviewcontroller