Simple questions:

What is the fake HTTP_REFERER dangerous?

Will HTTP_REFERER work when using the https protocol?

I use it as follows: On the user profile page there are buttons for friendship (blocking, submit an application, accept as a friend, cancel an application, end a friendship ...). Friendship handler (script) after processing the button press RETURNED to this very user profile.

But, the buttons of friendship are also displayed in the LIST of friends, block, input the outcome of applications. That is, after pressing the button on the user display page (not on the professional user page), the friendship handler needs to be returned to the user display page (on the friends display page, blocked, the outcome of the hawks). Here I have a referrer and is returning to the desired page.

I actually somehow thought that this variable had already been removed from php (about a month without the Internet was). In not a fresh book, I found http_ref., But I still have not looked in the internet.

Variables that are passed to the referrer are hard-washed. there are only two numeric parameters:

1 What list to display (friends, block, entry, outcome of the application).

2 pairs - page number.

  • And why do you need HTTP_REFERER ? Do you use it in your code? - Visman
  • supplemented the question. It is possible to write code in another way, but it will be a BAD CODE. Buttons on the display page of blocked ones are visible here.stackoverflow.com/questions/582729/… - root_x Povierennyy

1 answer 1

My opinion: it is better not to use $ _SERVER ['HTTP_REFERER'] .
Why: In many cases (even independently of the user) this variable may be missing.

What to do?
To POST requests in the form, add the variable (s) by which you can uniquely determine the return url:

 <input type="hidden" name="prev_url" value="<?php echo htmlspecialchars($prev_url) ?>" />

For GET requests, we similarly add a variable to the referral link.

But, since the data passes through the user (browser), this data cannot be trusted. If the return variable is in the form of a link, this link should lead to your site. Like this (a very rough example of verification):

 $referrer = 'http://you.site/url_возврата_по_умолчанию/'; if (isset($_POST['prev_url'])) { $default_arr = parse_url(strtolower($default_url)); $prev_arr = parse_url(strtolower($_POST['prev_url'])); if ($default_arr['host'] == $prev_arr['host']) { $referrer = $_POST['prev_url']; } }

PS Instead of the return url, you can use abbreviations, for example: profile-1234 , where profile means that you need to return to the profile page, and 1234 - that you need a user profile page under this number. Such data is easier to control than url.

  • "For POST requests in the form add" - the form (s) are absolutely the same for different pages. I thought about adding a parameter indicating a return on the page .... The ability to disable referrer sending in browsers is really a disaster. Check the referrer is not difficult. ehh, you have to make different forms OR divide the form into parts to dynamically insert a return label. That I did not want to do. My reqiure forms are inserted. - root_x Povierennyy
  • What about the referrer and https? will it work without features in https? - root_x Povierennyy
  • one
    @root_xPovierennyy, nothing bothers you before reqiure calling a form into a certain variable to set the data for the return, but to substitute it in the form; the form will be the same for all pages. About https: I did not see any problems on the forum working on https, within the forum the return passes without problems. - Visman
  • I just thought about it (!) It will be just a variable. And in the form field <input type = "hidden" name = "$ ref" and the page can be transferred. - root_x Povierennyy
  • right on the page, on the client side, add a hidden field with the data window.location.href to the form, and CSRF should not be forgotten - DiGiTAL