i appear to be having problems with this variable and firefox < 2.0. it doesn't seem to be registering the fact that the variable has been set. i was reading on php.net that this variable shouldn't really be trusted. is there anything else i can use?
$_SERVER['HTTP_REFERER'] problems
- Thread starter Sic
- Start date
It can be very easily spoofed, and very easily disabled. So, yes, don't trust it and certainly don't rely on it entirely.
When I've absolutely needed to know the user's previous page, I've passed it either as a session/cookie variable, or in the URL (could base64_encode to shorten it) i.e. on each page load I set the current page URI in the session, or append it to all relevant hyperlinks on the page. These methods are just as untrustworthy, but at least it means that you can be fairly sure you'll be able to access the information.
When I've absolutely needed to know the user's previous page, I've passed it either as a session/cookie variable, or in the URL (could base64_encode to shorten it) i.e. on each page load I set the current page URI in the session, or append it to all relevant hyperlinks on the page. These methods are just as untrustworthy, but at least it means that you can be fairly sure you'll be able to access the information.
How about a sever-side check that the connection has downloaded the rest of a page before allowing them to post. I.e. checking that a page has been requested, and images requested etc.
Either that or have a unique id dynamically created that is submitted along with the message, to check that you have served a page to that connection/session. Or the worst case, a captcha.
Either that or have a unique id dynamically created that is submitted along with the message, to check that you have served a page to that connection/session. Or the worst case, a captcha.
You would be wanting a nonce. Essentially, you create single-use value in the form and then check that the value's present and valid when processing the form. If it's not, don't process it.
http://php.robm.me.uk/#toc-CSRF
(That section is pretty badly written but I hope you get the picture!)
http://php.robm.me.uk/#toc-CSRF
(That section is pretty badly written but I hope you get the picture!)
