Jump to content

Http_referrer Vs. Meta Refresh


Recommended Posts

I need to track the HTTP_Referrer every time a page is hit so that I know if they came from another link, or if they typed in the location bar the url. I'm trying to prevent users within the site to do the latter. But there is no http_referrer when you come from a meta refresh, which is ok for users to do. Is there any way that I can tell if the user has come to the page from the location bar vs. anything else? Or anyway to tell if they came from a meta-refresh?


Please help!! :pissed:




Link to comment
Share on other sites

I'm not really sure what you mean by "come from a meta refresh"...


You tried doing a print_r on $_SERVER to find anything that might be useful?


>echo "<pre>";
echo "</pre>";

Link to comment
Share on other sites

To be honest you should never rely on the HTTP_REFERRER header because it can be blocked/spoofed and some browsers do not even send it.


Am I right in assuming you are trying to stop users directly accessing a page and rather have them either POST to it or be forwarded there by the script? Maybe if you could explain exactly what you are trying to do I can help think of an alternative more secure way of doing this.

Link to comment
Share on other sites

The basic idea is this. The access to pages on the site are based on the menu system. But you can get to several other pages from links on the pages etc. IDs of certain content are displayed in the querystring. For example is user A from Company A is looking at their contact, let's say contactid 45.. He currently could change in the querystring to contactid 46 which may belong to Company B. As I originally designed the site, I should have taken more time to add checking on every page but we didn't and we were trying to figure out the cheapest way to fix the problem. I thought that preventing a user from going to a page from the location bar unless they had already been there would be a safe bet, but I ran into this problem with the referrer.


I know I could accomplish what I want going to every page and adding checking there, however, that would be extremely long and costly. Just trying to find other alternatives.



Link to comment
Share on other sites

Surely though you are adding checks in to check the $_SERVER['HTTP_REFERER'] value in the PHP file to ensure they are coming from a link and not a direct entry in the address bar.


I can't really think of a safe way of doing it without checking. I mean there are ways around HTTP_REFERER anyway as I stated so I would personally recommend spending the time to check if that contact belongs to that user.


Just an example of how your method could be circumnavigated is using the web developers 'firebug' plugin for firefox. I could log in as user A from Company A, then firebug the page (editing the HTML live) and edit the links to point to a different contactid and then effectively view other company contact data... I know thats a pretty specific example but I feel it shows how easily these things can be done.


As your site grows it is only going to become more complicated to introduce error checking so I would strongly recommend doing it.


Sorry I can't be of any other help.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Create New...