Good day! There is a registration form, at each stage of which we check where the user came from (from our site, or from something completely different) with the help of $_SERVER[HTTP_REFERER] . Everything would be fine, but when you refresh the page, $_SERVER[HTTP_REFERER] simply remains empty, so the check at the stage fails and gets an error.

How can you overcome this, i.e. so that even after the update we know that the user is exactly ours?

  • Maybe, after the first arrival (if, of course, it was correct, that is, from your site), put the cookie right away, and then already if it is, then the referrer will not be checked. - Oleg Arkhipov
  • @Construct: you can save the page, then send just the unverified data (they are checked on JS). - ka5itoshka
  • @ ka5itoshka, um? So you do not have PHP data checked? What kind of security can we talk about? - Oleg Arkhipov
  • @Construct: checked for php too, but not as much as on JS - ka5itoshka

2 answers 2

And what prevents the use or cookie, or session, or local storage ? The user logged in, turned on the session. Now we check both $ _SERVER [HTTP_REFERER] and the session. If any of this suits us, then “you are welcome”

  • I thought so, but cookies can be changed. And there are already a lot of sessions. And I heard about local storage, but I know little about it. - ka5itoshka
  • @ ka5itoshka, read about local storage , nothing complicated, especially since you are familiar with cookies and sessions. - Deonis
  • You can try all the same with sessions (but I don’t know if it will be safe): with every click on submit, ajax we check if there is a user in the database and at the same time with true validation we add to a special +1 session, with false we add nothing . And on the steps just check the number in a special session. What tell me, is it safe to do that? Just again, the user can save the page and not pass the js check but simply send an ajax request. - ka5itoshka
  • I do not know all the details of your task, as you know them. Therefore, your reasoning does not push me to anything)) What does it mean “safe to do that”? What is the actual danger? - Deonis
  • @Deonis, danger in data substitution (I think so))) - ka5itoshka

Use the csrf token so that a person cannot predict it in advance without being on the appropriate form of the page. there is an article on the hub not bad on your topic. The essence of a simple person comes to the page of the form authorized in the system, when loading the page, generate a token key in a hidden field, and write to the session. If they do not match, then the request is not from your site.