$_SERVER['HTTP_REFERER'] missing
From the documentation:
The address of the page (if any) which referred the user agent to the
current page. This is set by the user agent. Not all user agents will
set this, and some provide the ability to modify HTTP_REFERER as a
feature. In short, it cannot really be trusted.
http://php.net/manual/en/reserved.variables.server.php
Error in $_SERVER['HTTP_REFERER']
This is because HTTP_REFERER is not set
you can try
if(isset($_SERVER['HTTP_REFERER']))
echo $_SERVER['HTTP_REFERER'];
else
echo 'HTTP_REFERER in not set';
$_SERVER[ HTTP_REFERER ] issue
Use the following snippet:
if (preg_match('/^https?:\/\/t\.co\//', $_SERVER['HTTP_REFERER'])) {
# allowed
}
This will also match https requests, by the way.
Alternatively, you can use parse_url, like this:
$parsed = parse_url($_SERVER['HTTP_REFERER']);
if ($parsed['host'] === 't.co') {
# allowed
}
Keep in mind though that $_SERVER['HTTP_REFERER'] might not be set or empty, thus an additional
if (isset($_SERVER['HTTP_REFERER']))
is useful in both cases.
Result from $_SERVER['HTTP_REFERER'], when referer header is not sent to server
If the HTTP referer request header is not sent then the $_SERVER['HTTP_REFERER']
is probably not set, although it could be an empty string. Whether it is set or not in this case could depend on the server.
As with all HTTP request headers, check for its existence when reading:
$httpReferer = isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : null;
$_SERVER['HTTP_REFERER'] not working with Header
In the login validation page, the referer will be login page, not the original one (unless you are using credentials stored in a cookie or HTTP basic/digest auth).
What you can do is, in the login page, where the user enters the details, have a hidden field with the referer of the login page request, and then pass it to the script that verifies the login and does the forwarding if the login is successful.
Better yet: since the user may not send the referer (it is configurable in most browsers), have the link to the login page include in the query string the original page. Then proceed as above, but use this value instead of the referer.
To be clear:
<form method="post" action="login">
...
<input name="user" type="text" />
<input name="password" type="password" />
<input name="referer" type="hidden" value="<?php echo urlencode($_SERVER['HTTP_REFERER']) ?>" />
</form>
then
<?php
if (login_is_successful() && !empty($_POST['referer']) && !is_array($_POST['referer'])) {
header("Location: ".urldecode($_POST['referer']));
die();
}
In what cases will HTTP_REFERER be empty
It will/may be empty when the enduser
- entered the site URL in browser address bar itself.
- visited the site by a browser-maintained bookmark.
- visited the site as first page in the window/tab.
- clicked a link in an external application.
- switched from a https URL to a http URL.
- switched from a https URL to a different https URL.
- has security software installed (antivirus/firewall/etc) which strips the referrer from all requests.
- is behind a proxy which strips the referrer from all requests.
- visited the site programmatically (like, curl) without setting the referrer header (searchbots!).
Related Topics
PHP $_Server['Http_Host'] Vs. $_Server['Server_Name'], Am I Understanding the Man Pages Correctly
PHP Mail() Function on Localhost
How to Get Const'S Defined on a PHP Class
How to Remove All Specific Characters At the End of a String in PHP
Paypal Access - Ssl Certificate: Unable to Get Local Issuer Certificate
What Does "1" Mean At the End of a PHP Print_R Statement
Pass a Variable to a PHP Script Running from the Command Line
Difference Between "Not Equal" Operators ≪≫ and != in PHP
Access PHP Var from External JavaScript File
PHP Array to Json Array Using Json_Encode();
PHP: Access Array Value on the Fly
Is It Safe to Trust $_Server['Remote_Addr']
Is MySQL_Real_Escape_String() Broken
Creating a Thumbnail from an Uploaded Image
PHP: Utilizing Exit(); or Die(); After Header("Location: ");