My actual implementation of this is much more complicated, with authentication and a bunch of other stuff, but at the simplest form, here's the problem I'm having. Redirecting with header doesn't reveal itself as a referer.
So, let's say I have three pages: start.php, middle.php and end.php
start.php
<html><body>
<a href="middle.php">middle</a>
</body></html>
middle.php
<?php
header('Location: end.php');
?>
end.php
<?php
echo 'The referer is: ' . $_SERVER['HTTP_REFERER'];
?>
When you follow the link, you end up at end.php, but the referer is not middle.php. Is there any other redirection method I can use to correct this, or anything else I can do?
Cheers
EDIT In this case, the destination page is a third party vendor. The only method they have to validate is from refering URL. I have no control over that. I just need my page that does the redirect to send the proper URL. Are there any alternatives to this redirection method, rather than picking apart the reasons not to trust http_referer?
Sorry, but it's out of your control, only the browser can send that header - and not all do. It can be easily faked, so don't rely on it.
More information is available on this php bug (which was marked not a bug).
Since HTTP_REFERER is not trustworthy (could easily be modified from outside), you could easily store the last page visited in session after every request. Then easily retrieve it when reloading.
Meaning, loading the referrer as $referring_url = $_SESSION["referring_url"]. Then saving it $_SESSION["referring_url"] = $current_absolute_url; when ending each request.
Though, note that this could be a concurrency issue. Having parallel requests (using eg AJAX) could easily make the session believe that it came from a page that it actually didn't.
This question has popped up a number of times on SO (I can't find any dupes right now though), and I think always with the bottom line that it is not defined in a standard what a browser is to set the referrer to in this situation.
Is it an option to specify it explicitly using a GET parameter or something?
I would suggest something like this:
header('Location: end.php?from=' . urlencode($_SERVER['PHP_SELF'));
And then in the page where you want to know from where the redirect was issued:
echo 'redirected from ' . urldecode($_GET['from']);
What are you trying to use the Referrer header info for?
If it's for authentication/validation of the request's origin, then you might consider trying another approach. As El Yobo pointed out, the Referrer header isn't a foolproof way of determining where someone's request is coming from.
I went with the old meta refresh method of redirection. This keeps the referring URL in tact for the vendors that require it. Any vendor that doesn't require it still uses the header function, for speed and ease of use.
来源:https://stackoverflow.com/questions/4350929/redirects-and-referers