firefox vs ie7 & any other browsers problem with HTTP_REFERER

[rj2kix]

hello,

 

i have a simple code for my website, that checks to see if they were sent to the page thru the appropriate referral page.  if not, they are then redirected to the home page and denied access to said page.

 

this code i have works fine on firefox, but just today i discovered it does not work on ie7 and who knows what other browsers it might not work on. 

 

if you could please review and then give some advice i'd really appreciate figuring out this problem.

 

<?

$ref = getenv("HTTP_REFERER");

$pos = strpos($ref,"results1.php");

if ($pos === false) {

$URL="http://www.truelifekarma.com/index.php?aff=resultspage";

header ("Location: $URL");

} else {

}

?>

[rj2kix]

nobody?

 

i'm scratchin my brain here i dont know if its my server or my syntax or ie7's craziness.

 

i'm a firefox guy myself and i build and test everything in it

[trq]

HTTP_REFERER is unreliable at best. It can be forged / changed by the client and yeah, some browsers don't send it. This is common knowledge or at least should be.

[rj2kix]

well i use this script to protect my results end pages from users who just go straight to them without going thru my site first.

 

is there any other methods i can employ that is mutli browser compatible?

[btherl]

Try using phpinfo() to see exactly what IS set by IE 7.  Then you can go from there.

[GingerRobot]

Try using phpinfo() to see exactly what IS set by IE 7.  Then you can go from there.

 

I disagree - HTTP_REFERRER should really only be used for data collection purposes - not security. As thorpe said, it is unreliable at best. For instance, whilst firefox does send the referrer by default, it can be set up not to. I think you'll find that there are some firewalls which block the sending of the referrer too.

 

well i use this script to protect my results end pages from users who just go straight to them without going thru my site first.

 

is there any other methods i can employ that is mutli browser compatible?

 

As for that, you could set a session on the page you want people to go through first - and on the results page, check this session exists. If it does not, you can redirect them to the home page - if it does, then let them view the results.

[btherl]

HTTP_REFERER is an excellent method of detecting and denying access to unauthorized links to your files.

 

It is an insufficient method of preventing direct downloads by a determined user.  It does not prevent this.

 

If all the OP wants is to prevent direct links to his files from other sites, then HTTP_REFERER is not only appropriate but is ideal.  All the arguments against HTTP_REFERER make the assumption that the user using the browser is malicious, but it still provides protection against a malicious website.

[rj2kix]

okay so i implemented sessions, good idea.

 

had session start on the page where they finish taking the Karma Test and set a session variable.

 

Then on the Results page that they are supposed to only see if they've taken the test, I check to see if that sesion variable is set, if it is not set, they go back to the home page.

 

WELLLLL This AGAIN works perfectly in Firefox but STILL does not work in IE7!!!

 

I am getting very frustrated.

[rj2kix]

why does my HTTP_REFERER code and my Session code both work fine on firefox, and not work at all in ie7?

[MadTechie]

never replie on HTTP_REFERER, personally i try to use it as little as possible..

 

'HTTP_REFERER'

    The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.

[btherl]

rj, what did phpinfo() show differently for firefox and IE7?

 

If sessions do not work with IE7, that indicates that IE is configured not to accept cookies, or not to pass cookies to the pages you want to pass them too.  Does a simple session example with a single file work with IE7?

 

Regarding criticisms of HTTP_REFERER, it is perfectly ok to use it as long as you understand its limitations.  Websites should always be designed for the majority of users, and the majority will send HTTP_REFERER correctly with each request.

[cooldude832]

Sessions shouldn't have any issues with a single browser, yes you can delete session data, but you can't adjust it on your own since its server side. 

 

As for the http_refer, it was one of those legacy things that use to be a very common part of the language construct, but with time its reliable has wavered and thus is is part of the language construct for legacy purposes.  I believe there is a revamping of the Superglobals completely in six that might even include a removal of this, but I am unaware of the specifics, all I know is that registered globals is no longer an option, defaulted to OFF   Yes it does contain some data who's reliability is none at best, but on a large scale, such as a website with 100k+ hits a day, tracking the in routes with it will yield semi accurate results (Depending on your confidence interval).  However on a smaller scale when the distribution of browsers is not equal to the norms, odds of it having any reliability dramatically drop.

In a nutshell the only time you would use this superglobal would be to track navigation around your site, but at best it can only be used as an estimation.

[btherl]

HTTP_REFERER is nothing to do with globals.  It's a variable sent by the browser to the server, and ALL such variables must be made available to the php script in one form or another.  Anything else is insanity.  Currently the recommended method of access is $_SERVER

 

register_globals and superglobals is another issue altogether, and has nothing to do with availability or accuracy of HTTP_REFERER.

 

As for its accuracy, it remains high, unless your userbase is skewed towards technically inclined users.  I can't believe that some people claim that it is unreliable when all real evidence is clearly to the contrary.

 

FYI, my work involves clickstream processing of something like 200 million hits daily, where most of our data sources include the HTTP_REFERER data.

[cooldude832]

It is not a reliable enough system to use for a single purpose of a 1/0 test.  It is reliable enough for large level data collection, but beyond this its uses are limited.  Yes as I stated it as a positive exponential correlation between accruals and number of trials, but in terms of say if($_SERVER['HTTP_REFER']) == "Formpage.php"){//process}

This is just to unreliable to be a realistic solution.

[btherl]

... but in terms of say if($_SERVER['HTTP_REFER']) == "Formpage.php"){//process}

This is just to unreliable to be a realistic solution.

 

But it IS reliable enough to be a realistic solution.  It works perfectly fine in practice.  Read my earlier post in this thread for details on when it works and when it doesn't.

[cooldude832]

a logical statement needs to succed on a one on one basis not a 99999 to 1000000 its that smiple.

[btherl]

a logical statement needs to succed on a one on one basis not a 99999 to 1000000 its that smiple.

 

No it doesn't.  I'm not going to discuss this further because it's off-topic.

[rj2kix]

i'm still not clear on a way to get what i'm trying to do accomplished.

 

both codes i've written work flawlessly on firefox, but i need a solution that works with IE7!  IE7 is the devil.

 

[rj2kix]

anyone have an idea on why my code isnt working or what i should do?

[btherl]

You should try phpinfo() and see what IS set with IE7.

[MadTechie]

IE7 Blocks it, (see IE7 Security/privacy settings)

Your need to use something new.. cookies,sessions, GET etc

 

 

never replie on HTTP_REFERER, personally i try to use it as little as possible..

 

'HTTP_REFERER'

    The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.

[rj2kix]

what can i use in place of HTTP_REFERER ?

 

because I also use it for detecting where my incoming links are to correlate them with potential conversions for my admin stats.

 

 $ref = $_SERVER['HTTP_REFERER'];  

    
  if (strpos($ref,"myspace.com") !== false && strpos($ref,"myspace.com") != '')  
       setcookie("aff", "myspace");  
  elseif (strpos($ref,"google.com") !== false && strpos($ref,"google.com") != '')  
       setcookie("aff", "google");  
  elseif (strpos($ref,"yahoo.com") !== false && strpos($ref,"yahoo.com") != '')  
       setcookie("aff", "yahoo");  
  elseif (strpos($ref,"msn.com") !== false && strpos($ref,"msn.com") != '')  
       setcookie("aff", "msn");  
  else  
       setcookie("aff", "typein");  
    
  }  
    

[GingerRobot]

If you are using http_referer for data collection purposes, which is not crictical to the running of your site, then that is fine.

 

However, i would disagree with btherl that only technically minded people may be making requests without an http referer being sent. As i've said before, some filewalls (notably norton filewalls - google and you'll see) by default disable the sending of the http referer. This is the main reason why i feel that using the http referer to prevent access is a bad idea - perfectly legitimate computer illiterate users can be blocked. However, i will agree that it can be used to prevent other sites linking to your files - if the http referer is present and it is not from your website and the file being retrieved should only be accessed from a user already on your website, then it is a method of protection against the non technically minded.

 

Sessions shouldn't have any issues with a single browser, yes you can delete session data, but you can't adjust it on your own since its server side. 

 

Incorrect. Unless you set PHP up to pass the session id around in the URL, cookies need to be enabled for sessions to work.

 

As for the question rj2kix: im not sure what you're really trying to do? Why would you store the name of the website that a user came from in a cookie?

[rj2kix]

on my index page i store the referrer of the website in a cookie, and on my signup page, it checks to see if the cookie was set by a common referrer, or by an affiliate.

 

this will then update my admin statistics with who is referrering me the most signups.  whether it be search engines, myspace, affiliates, etc.

[GingerRobot]

If that's what you're using the referrer for, then it should be fine. Of course, you could also ask people on the signup form how they heard about the website.