Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to use $_SERVER['HTTP_REFERER'] correctly in php?

Tags:

php

http-redirect

http-referer

Lets say i have two pages page1.php and page2.php and i want page2.php to be displayed only if it is redirected form page1.php and i inserted this code to page2.php

if($_SERVER['HTTP_REFERER'] == "page1.php")
{
    //keep displaying page2.php
}else{
    //if it is not redirected from page1.php
    header('Location:page1.php')
    //redirect the user back to page1.php 
}

this code worked fine until i have a form and a submit button on page2.php when the submit button is clicked the page refreshes which means the HTTP_REFERER will change to page2.php so my if statement fails and it takes me back to page1.php i don't want that to happen. Is there any way to prevent this from happening?

Thanks in advance.

like image 595
surafel Avatar asked Jun 05 '26 16:06

surafel

2 Answers

I wouldn't recommend using HTTP_REFERER:

  1. It's fairly simple to manipulable in browser.

  2. Some users might have security settings in their browser to not send this header at all.

  3. It's not accessible over HTTPS.

  4. Some proxies strip this header from the request

  5. Added - See answer to this quesion

As Charlotte Dunois stated in the comment, better set session value before sending the form and then check it on page2.

page1.php:

$_SESSION[ 'display_page2' ] = TRUE;
//rest of the content

page2.php:

if ( (isset( $_SESSION[ 'display_page2' ] ) && $_SESSION[ 'display_page2' ] === TRUE ) || isset( $_POST[ 'some_form_input' ] ) ) {
  //keep displaying page2.php
} else {
  header('Location:page1.php');
  exit;
}

With isset( $_POST[ 'some_form_input' ] ), you can check whether the form has been sent (via POST method).

When needed, you can unset the session with unset( $_SESSION[ 'display_page2' ] ); or by setting it to different value.

like image 106
Petr Hejda Avatar answered Jun 10 '26 15:06

Petr Hejda

I advise against using $_SERVER['HTTP_REFERER'] as it can be easily spoofed.

Instead , you could set a cookie when they load page 1 using setcookie("page1", 1); before any markup is output. Then check for it on page 2 using

if(isset($_COOKIE['page1']))
{
    //keep displaying page2.php
}else{
    //if it is not redirected from page1.php
    header('Location:page1.php')
    //redirect the user back to page1.php 
}

By not specifying the expiry date the cookie will expire when the browser is closed. In this situation, using cookies also makes for much more readable code to others.

like image 42
Roshan Bhumbra Avatar answered Jun 10 '26 15:06

Roshan Bhumbra

Sign in to Comment

Related questions

Most efficient way to change the hash type of a password (md5 to sha1)
How to use javascript array elements in google.visualization graphs
Codeigniter 4, call a controller method in a seeder
How to tell PHP static code analysers to read the generic type hint from a callable, instead of expecting the class name as a string?
csv data import into mysql database using php
PHP class properties without "$this"
Form is not sending any data to querystring
What is the proper way to test CodeIgniter session variable?
function php with while loop
Whats the difference between a @property annotation and a protected variable in PHP?
PHP curl: "Unknown cipher in list"
php get the post data when using pagination script
how to disable security.info and security.debug in monolog symfony2 logging
Yii2: specific form field editable based on Role
How to get 'oauth_consumer_key' and 'oauth_consumer_secret' from google

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!