...

View Full Version : checking referer



low tech
01-17-2012, 02:37 AM
Hi all

I have some pages on mysite which are extra information only pages
which open in a new page and do not contain a menu or link back to
index page.

I only want these pages to be accessed via the referring page (index in this case)
for example I don't want them accessed via a google search

so far I have done this and i'm wondering if there is any issue
with this method and is it correct?


<?php
//if no referer
if (!isset($_SERVER['HTTP_REFERER'])) {
header('Location: http://www.mysite.com/');
exit;
}
//if not refered from mysite
if (isset($_SERVER['HTTP_REFERER'])) {
$ref=@$_SERVER['HTTP_REFERER'];
if ($ref != 'http://www.mysite.com'){
header('Location: http://www.mysite.com');
exit;
} else {
//do nothing continue
}
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

basically i'm looking for confirmation that what I have done is ok or not

help appreciated

LT

djh101
01-17-2012, 07:27 AM
It depends on what your intention is. Your code should work to physically do what it is intended to do, but HTTP_REFERRER can't be relied on for security. To quote php.net:

The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.

On a side note, most search engines won't index your pages, anyway, if they redirect somewhere.

felgall
01-17-2012, 07:58 AM
The developer tools built into most browsers will allow anyone to modify the headers (including that one) before the request is sent to the server. Since references from your own site is the most likely expected value it would only take someone about 2 seconds to bypass your test - depending on how fast they can type.

low tech
01-17-2012, 08:35 AM
Hi guys

Thanks for that info

Yeh, I read about security issues but there is no security involved here.

These pages are supplement info pages that really only make sense to anyone who has landed on my index page and requests that info page by clicking on it.

If a person just happened to land on one of those pages from a google search for example they would probably wonder what's going on since there is no navigation and I doubt they would be looking for the info contained on the page.

So my intention is to make sure they go via the index page and if my site is not useful to them they will quickly realize that and navigate away or they will be interested and follow the info links.



On a side note, most search engines won't index your pages, anyway, if they redirect somewhere.

Hah very interesting, didn't know that. It could work to my advantage in this case or I will redesign the pages in light of that info.

many thanks

LT

djh101
01-17-2012, 08:42 AM
Well if search engines are your main problem, you can just add a nofollow metatag to your pages and your page won't be indexed (see http://www.robotstxt.org/meta.html).

low tech
01-17-2012, 08:55 AM
Hi djh101


I'm now thinking a small redesign of these pages with some JS to check referer page and display a notice with a link to my main page if not from index

idea in progress hahahaha

Thanks again

LT

felgall
01-17-2012, 09:27 AM
What about all the people who end up on those pages who have JavaScript disabled?

You really need at least one navigation link on the page anyway that takes people to your home page - there are lots of people who don't know their browser has a back button and so can only get to pages that have navigation inside the current page.

low tech
01-17-2012, 12:40 PM
Hi felgal

These pages open in a new window and should be closed after reading hence no navigation.

Now my plan is to provide a link and hide it via JS and also check the referer with JS.

If JS is turned off --> the link will show plus a noscript message.

If js is on --> If the referer is index page the link stays hidden. (they should close the window as intended)

If js is on --> If the referer is not index the link will show plus message to view index page

LT

felgall
01-17-2012, 06:33 PM
These pages open in a new window and should be closed after reading hence no navigation.

You have no control over whether they open in a new window or not - that is entirely up to how your visitor has their browser configured. It is as likely that the page will open in the same window as the preceding page as that it will open in a new window.

low tech
01-18-2012, 12:02 AM
Hi


You have no control over whether they open in a new window or not

True, but as far as I know it will either be a new window or a new tab which is fine.

LT

felgall
01-18-2012, 01:10 AM
Hi



True, but as far as I know it will either be a new window or a new tab which is fine.

LT

Your visitors have three options on where it opens - in addition to the two you mention they could also select to open it in the same tab as the prior page.

djh101
01-18-2012, 01:16 AM
It really doesn't matter that much where it opens...

low tech
01-18-2012, 02:37 AM
Hi


It really doesn't matter that much where it opens...
Agreed

My original concern was what to do about a user inadvertantly
landing on one of these pages other than via the link from my index
and I think the solution in post8 should be fine.

If the user opens link from index it doesn't matter where the page opens
since they will be aware of the main page which is what I want.

This discussion really made me consider things more and I would like
to thank both felgal and djh101 for their input.


Thanks

LT



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum