Is $_Server['Http_Referer'] Safe

is $_SERVER['HTTP_REFERER'] safe?

Not like that.

It might not be present. (It might be wrong, some personal firewall packages obfuscate the referer for privacy reasons, violating the HTTP spec along the way)

You should run anything coming from outside your system through htmlspecialchars to guard against XSS attacks (although, IIRC, the referer should never have any dangerous characters in it as they should be URL safe you should keep in the habit of always being cautious).

Browsers come with back buttons though, there is no need to try to duplicate their functionality (especially when, with this, if the user clicks a link marked "back" it doesn't take them back in their history, so clicking the normal back button will conceptually take them forwards).

How reliable is HTTP_REFERER?

Using HTTP_REFERER isn't reliable, its value is dependent on the HTTP Referer header sent by the browser or client application to the server and therefore can't be trusted because it can be manipulated.

Regarding the Referer header, section 15.1.2 of RFC2616 states:

Therefore, applications SHOULD supply
as much control over this information
as possible to the provider of that
information.

and

We suggest, though do not require,
that a convenient toggle interface be
provided for the user to enable or
disable the sending of From and
Referer information.

Many online privacy tools mangle this value and many browsers such as FireFox have for a long time permitted users to prevent this header being sent. So in a nutshell, I wouldn't rely on it for any serious purpose. For example, securing forms so that drive-by spammers can't post values, because the Referer can be spoofed.

For further reading see:

Using referer field for authentication or authorization (WayBackMachine)

Is validating $_SERVER[HTTP_REFERER] against a known URL safe?

If web app security is your primary concern, you should use some other mechanism to maje sure the request indeed came from your own other page. The answer you quoted is well explanatory. You shouldn't trust HTTP_REFERER only.

You can make use of sessionStorage if you want to set some other identifying token. And then read that each time you submit the form. Cross check it every time you receive the request. And you can keep on altering it if you want to have more non-predictive behavior.

Does that make sense?

Result from $_SERVER['HTTP_REFERER'], when referer header is not sent to server

If the HTTP referer request header is not sent then the $_SERVER['HTTP_REFERER'] is probably not set, although it could be an empty string. Whether it is set or not in this case could depend on the server.

As with all HTTP request headers, check for its existence when reading:

$httpReferer = isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : null;

$_SERVER['HTTP_REFERER'] is it ok to use it with multiple forms

As it is said in the documentation, not all user agents set referer:

'HTTP_REFERER'

The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.

In other words, $_SERVER['HTTP_REFERER'] may be empty.

I would rather use JavaScript:

<a href="javascript:history.go(-1)">Back</a>

Sometimes it is possible to determine the previous page by the logic of your application. For example, if a page "Step 2" goes after a page "Step 1", then I would generate a URL according to the logic: /registration/step1, /registration/step2, etc. This is the most reliable way.

$_SERVER[HTTP_REFERER] issue

Use the following snippet:

if (preg_match('/^https?:\/\/t\.co\//', $_SERVER['HTTP_REFERER'])) {
    # allowed
}

This will also match https requests, by the way.

Alternatively, you can use parse_url, like this:

$parsed = parse_url($_SERVER['HTTP_REFERER']);
if ($parsed['host'] === 't.co') {
    # allowed
}

Keep in mind though that $_SERVER['HTTP_REFERER'] might not be set or empty, thus an additional

if (isset($_SERVER['HTTP_REFERER']))

is useful in both cases.

Using PHP's $_SERVER['HTTP_REFERER'] Without Recognizing Parameters

The easiest way is to check if HTTP_REFERER starts with the URL you want:

if (strpos($_SERVER['HTTP_REFERER'], 'http://www.example.com') === 0)) {

How to use $_SERVER['HTTP_REFERER'] correctly in php?

I wouldn't recommend using HTTP_REFERER:

1. It's fairly simple to manipulable in browser.

2. Some users might have security settings in their browser to not send this header at all.

3. It's not accessible over HTTPS.

4. Some proxies strip this header from the request

5. Added - See answer to this quesion

---

As Charlotte Dunois stated in the comment, better set session value before sending the form and then check it on page2.

page1.php:

$_SESSION[ 'display_page2' ] = TRUE;
//rest of the content

page2.php:

if ( (isset( $_SESSION[ 'display_page2' ] ) && $_SESSION[ 'display_page2' ] === TRUE ) || isset( $_POST[ 'some_form_input' ] ) ) {
  //keep displaying page2.php
} else {
  header('Location:page1.php');
  exit;
}

With isset( $_POST[ 'some_form_input' ] ), you can check whether the form has been sent (via POST method).

When needed, you can unset the session with unset( $_SESSION[ 'display_page2' ] ); or by setting it to different value.

---

Related Topics