How to get the real referer?
https://stackoverflow.com/questions/10212226
-
01-06-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
Supposing I want to restrict post requests in order to process only ones that are coming from my own domain, how can I check for the referer other way than using $_SERVER['HTTP_REFERER'], which I read ($_SERVER documentation) that can not be trusted?
Solution
This isn't possible unfortunately, the only way to check the referrer is if the browser has supplied this information, which obviously, could be changed to benefit the reader.
However you could create a user session or cookie that saves a variable to show that the user has visited the site. You could then only allow users to see the posts if that session variable is defined.
Another option would be to generate links based on the users IP address and only give them access if they have clicked on a specifically generated link. You could start by saving the users IP address and a unique key in the database and then all your internal links could use a GET variable with the unique ID. If the page is opened without a genuine ID then you could display an error message.
OTHER TIPS
If it is coming from your own domain you can set a cookie or use a session variable to mark the user as being on your website. Then if a submission is sent and the user lacks that verification value you know you can reject it (or if it is present accept it).
In addtion to Cameron's answer:
You can also use the same mechanisms that prevent cross-site request forgeries. I.e. not only setting a session variable that indicates that a user has visited your site but add a key to the form that must match a value in the session data. Some frameworks offer support for that, e.g. Zend_Form_Element_Hash
