I have written a PHP script that I would like to use on several domains on the same server (pointing to same script). I want to add functionality to the script so I can find out which domain the script is working with at any time. HTTP_HOST can be used to find the domain ,however, I have read that its not reliable especially with older browsers. My understanding is most Apache servers use virtual hosts which uses the same method anyway so if its not a problem with hosting providers it shouldn't be an issue with my code.
Can any one please verify this and clear the confusion ?
HTTP_HOST is for the Host: header sent by HTTP 1.1 user-agents during the request. This is not used by HTTP 1.0 clients, so it won't appear then. However, nowadays, I don't think there are still many HTTP 1.0 clients.
Edit: I stand corrected: The HOST header is not present in HTTP 1.0 requests. See @Bruno's answer. Leaving mine in place because of the security considerations
The only issues with HTTP_HOST that I'm aware of are security issues, not compatibility ones.
The security issues stem from the fact that HTTP_HOST is sent by the user. If the web server is incorrectly set up and/or buggy, arbitrary HTTP_HOST values could make it to your site/script (see e.g. here for detailed discussion). Your application needs to be prepared for that.
It's good never to trust HTTP_HOST (e.g. it can be a good idea to set up an array of allowed values for it before processing it in your PHP script):
<?php
$allowed_hosts = array("domain1.com", "domain2.com", "domain3.com");
if (!in_array(strtolower($_SERVER["HTTP_HOST"]), $allowed_hosts))
die ("Unknown host name ". $_SERVER["HTTP_HOST"]);
Pekka's answer seems more interesting, but it seems that you want to know which browsers support http 1.1 and which dont. Found this on google: http://www.1-script.com/forums/Browser-Support-for-HTTP-1-1-article34982--8.htm
A note, from that thread: "a HTTP 1.0 browser cannot get to the non-default virtual host." That means that a browser that dont support http 1.1 cannot reach any website on a shared server as far as i know. Thare are LOTS of websites on shared hosts. Also subdomains might(no sure though) be "detected' in the same way, by using the HTTP_HOST var.
After reading these, i dont really think anyone uses a browser that old nowdays, it would be impossible for them to actually navigate the web:)
This is what I answered in a similar question :
Looking into this myself for other purposes:
"HTTP/1.0 is in use by proxies, some mobile clients, and IE when configured to use a proxy. So 1.0 appears to still account for a non- trivial % of traffic on the web overall. ... Yes, there are many 1.0 clients still out there."
Source (July 2009): http://groups.google.com/group/erlang-programming/msg/08f6b72d5156ef74
:-(
I am personally getting quite a few HTTP/1.0 requests on my sites with a missing HTTP_HOST :-(
来源:https://stackoverflow.com/questions/4096151/how-reliable-is-http-host