When browser sets the "referrer" in HTTP Request header?

Question

I have a login page and users from different domains are redirected to this page for the purpose of SSO. I use the referrer HTTP Header field to know where the user has come from, thus on successful login, I return him/her back to his/her original domain. But sometimes my referrer is not set, while other times it's set. Why?

Answer 1

Users can come to your page using different methods:

1. By entering the URL of your page, directly into the address bar of the browser
2. By clicking a link to your site from another site
3. By reloading your current page
4. By Submitting a form on your site (sending POST request back to your site)
5. By navigating through back/forward buttons of your browser.
6. By being redirected through a previous page to the current page.

Now, browsers really differ in how and when they set referrer header field. But as a general rule, you can be sure that on link click, or on submitting a form (post request), they set referrer field. Also if you have come to the current page via a redirect or a link, browser still preserves referrer header on F5 (page reload).

If you see that your referrer field is empty, it's because someone knows your Login page URL and enters that directly into the address bar, or someone has bookmarked it, so sends a GET request.

Generally, you shouldn't always expect the referrer field, because it's outside your control. You should use cookies, or query strings, because they are under your control.

Answer 2

the other thing is that some user may have referer option set as disabled in their browsers as a part of browser security settings.