How to use $_SERVER['HTTP_REFERER'] correctly in php?

Asked 26/3, 2016 at 19:52 Answered 4/11, 2016 at 19:2

Lets say i have two pages page1.php and page2.php and i want page2.php to be displayed only if it is redirected form page1.php and i inserted this code to page2.php

if($_SERVER['HTTP_REFERER'] == "page1.php")
{
    //keep displaying page2.php
}else{
    //if it is not redirected from page1.php
    header('Location:page1.php')
    //redirect the user back to page1.php 
}

this code worked fine until i have a form and a submit button on page2.php when the submit button is clicked the page refreshes which means the HTTP_REFERER will change to page2.php so my if statement fails and it takes me back to page1.php i don't want that to happen. Is there any way to prevent this from happening?

Thanks in advance.

Florencia answered 26/3, 2016 at 19:52 Comment(2)

The referer is an user provided value and shouldn't be relied on as it can be manipulated or omitted at all. Instead use sessions, set a session variable on page1.php and check for it on page2.php. – Eocene 26/3, 2016 at 19:54

@CharlesAddis i added the code but it doesn't seem to change anything. – Florencia 26/3, 2016 at 20:12

I wouldn't recommend using HTTP_REFERER:

It's fairly simple to manipulable in browser.
Some users might have security settings in their browser to not send this header at all.
It's not accessible over HTTPS.
Some proxies strip this header from the request
Added - See answer to this quesion

As Charlotte Dunois stated in the comment, better set session value before sending the form and then check it on page2.

page1.php:

$_SESSION[ 'display_page2' ] = TRUE;
//rest of the content

page2.php:

if ( (isset( $_SESSION[ 'display_page2' ] ) && $_SESSION[ 'display_page2' ] === TRUE ) || isset( $_POST[ 'some_form_input' ] ) ) {
  //keep displaying page2.php
} else {
  header('Location:page1.php');
  exit;
}

With isset( $_POST[ 'some_form_input' ] ), you can check whether the form has been sent (via POST method).

When needed, you can unset the session with unset( $_SESSION[ 'display_page2' ] ); or by setting it to different value.

Pecoraro answered 26/3, 2016 at 20:2 Comment(5)

Adding the or operator doesn't solve the problem it will allow the user if they use the url to get page2.php – Florencia 26/3, 2016 at 20:9

The referer is still accessible over HTTPS. – Eocene 26/3, 2016 at 20:31

Coming to this post years after, but I just wanted to show that 1st condition can be simplified by using empty method that check both isset and to be TRUE : if (!empty($_SESSION['display_page2']) – Thyself 20/5, 2022 at 9:20

@Thyself Yes, it could. Just note that some linters don't allow using empty() because it's ambiguous. – Pecoraro 20/5, 2022 at 10:53

@PetrHejda OK thanks, I didn't think about that. – Thyself 20/5, 2022 at 15:33

I advise against using $_SERVER['HTTP_REFERER'] as it can be easily spoofed.

Instead , you could set a cookie when they load page 1 using setcookie("page1", 1); before any markup is output. Then check for it on page 2 using

if(isset($_COOKIE['page1']))
{
    //keep displaying page2.php
}else{
    //if it is not redirected from page1.php
    header('Location:page1.php')
    //redirect the user back to page1.php 
}

By not specifying the expiry date the cookie will expire when the browser is closed. In this situation, using cookies also makes for much more readable code to others.

Concierge answered 26/3, 2016 at 20:17 Comment(3)

This is exactly the approach I would suggest, surafel. You'll have much better results using cookies and it can be used in many different ways! Check out w3schools.com/php/func_http_setcookie.asp for a basic example. – Ardenardency 26/3, 2016 at 20:24

@jarmerson Please link the php.net documentation page to setcookie instead of w3fools. – Eocene 26/3, 2016 at 20:29

@Cha I already have, he was just helping others find another example. The official ones aren't always that useful. – Concierge 26/3, 2016 at 20:30

<?php
if(($_SERVER['HTTP_REFERER'] == "page1.php") || (isset($_POST['submit']) && $_SERVER['HTTP_REFERER']=="page2.php"))
{
    //keep displaying page2.php
}else{
    //if it is not redirected from page1.php
    header('Location:page1.php');
    //redirect the user back to page1.php 
}

?>

if the referrer is not page 1 you could check the condition if referrer = page2 and post is submitted. or check if the referrer is page1 or post is submitted. this is a possibility to avoid your problem.

Tortuosity answered 26/3, 2016 at 20:10 Comment(0)

<?php

/* 
    this page allows links from the following pages

    public.php?id=links
    private.php?id=links

don't allow if visitors come from anywhere else

this example would only work if I used the entire URL in the 'if' statement 
*/

$referringpage = $_SERVER['HTTP_REFERER'];

if ( $referringpage == "http://www.example.com/public.php?id=links" ) {
$pass = "yes";
} elseif ( $referringpage == "http://www.example.com/private.php?id=links" ) {
$pass = "yes";
} else {
$pass = "no";
}


if ( $pass == "yes" ) {
// do the function this page was made to do
} 

header( "Location: http://www.example.com/public.php?id=links" );

?>

Laurin answered 4/11, 2016 at 19:2 Comment(0)

Recommended topics

Hot tags