jgingras Posted April 3, 2009 Posted April 3, 2009 I need to track the HTTP_Referrer every time a page is hit so that I know if they came from another link, or if they typed in the location bar the url. I'm trying to prevent users within the site to do the latter. But there is no http_referrer when you come from a meta refresh, which is ok for users to do. Is there any way that I can tell if the user has come to the page from the location bar vs. anything else? Or anyway to tell if they came from a meta-refresh? Please help!! Thanks, -Jacques Quote
reNkai Posted April 3, 2009 Posted April 3, 2009 I'm not really sure what you mean by "come from a meta refresh"... You tried doing a print_r on $_SERVER to find anything that might be useful? >echo "<pre>"; print_r($_SERVER); echo "</pre>"; exit; Quote
jgingras Posted April 3, 2009 Author Posted April 3, 2009 (edited) Coming from a meta refresh meaning <meta http-equiv="refresh" content="0;url='blahblah.php'"> The $_SERVER["HTTP_Referrer"] in that case is blank. Edited April 3, 2009 by jgingras Quote
OJB Posted April 4, 2009 Posted April 4, 2009 To be honest you should never rely on the HTTP_REFERRER header because it can be blocked/spoofed and some browsers do not even send it. Am I right in assuming you are trying to stop users directly accessing a page and rather have them either POST to it or be forwarded there by the script? Maybe if you could explain exactly what you are trying to do I can help think of an alternative more secure way of doing this. Quote
jgingras Posted April 7, 2009 Author Posted April 7, 2009 The basic idea is this. The access to pages on the site are based on the menu system. But you can get to several other pages from links on the pages etc. IDs of certain content are displayed in the querystring. For example is user A from Company A is looking at their contact, let's say contactid 45.. He currently could change in the querystring to contactid 46 which may belong to Company B. As I originally designed the site, I should have taken more time to add checking on every page but we didn't and we were trying to figure out the cheapest way to fix the problem. I thought that preventing a user from going to a page from the location bar unless they had already been there would be a safe bet, but I ran into this problem with the referrer. I know I could accomplish what I want going to every page and adding checking there, however, that would be extremely long and costly. Just trying to find other alternatives. Thanks Quote
OJB Posted April 7, 2009 Posted April 7, 2009 Surely though you are adding checks in to check the $_SERVER['HTTP_REFERER'] value in the PHP file to ensure they are coming from a link and not a direct entry in the address bar. I can't really think of a safe way of doing it without checking. I mean there are ways around HTTP_REFERER anyway as I stated so I would personally recommend spending the time to check if that contact belongs to that user. Just an example of how your method could be circumnavigated is using the web developers 'firebug' plugin for firefox. I could log in as user A from Company A, then firebug the page (editing the HTML live) and edit the links to point to a different contactid and then effectively view other company contact data... I know thats a pretty specific example but I feel it shows how easily these things can be done. As your site grows it is only going to become more complicated to introduce error checking so I would strongly recommend doing it. Sorry I can't be of any other help. Quote
jgingras Posted April 7, 2009 Author Posted April 7, 2009 Thanks for the help. I guess i knew that I needed to go everywhere to add checking now, but was trying to find a way around doing it. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.