Home > Archive > PERL CGI Beginners > August 2005 > $ENV{'HTTP_REFERER'}
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
$ENV{'HTTP_REFERER'}
|
|
| Denzil Kruse 2005-08-24, 6:55 pm |
| Hi,
I want to know the web site that someone came from,
and so I was planning on reading $ENV{'HTTP_REFERER'}
to figure it out. How reliable is that? Do browsers
or other situations block it or obfuscate it? Is
there another way to do it or any other issues
involved? I'm using apache on red hat.
Thanks,
Denzil
________________________________________
__________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
| |
| Wiggins d'Anconia 2005-08-24, 6:55 pm |
| Denzil Kruse wrote:
> Hi,
>
> I want to know the web site that someone came from,
> and so I was planning on reading $ENV{'HTTP_REFERER'}
> to figure it out. How reliable is that? Do browsers
> or other situations block it or obfuscate it? Is
> there another way to do it or any other issues
> involved? I'm using apache on red hat.
>
> Thanks,
> Denzil
>
Depends on your definition of reliable. From experience it would seem
most browsers set it pretty reliably.
Having said that, it is just a value passed as part of the HTTP request
so anyone can spoof it at anytime, so relying on it from a security
stand point, well, isn't secure.
I imagine if you are doing something where someone can benefit from
obfuscating it, they will. If you want to use it for ease of UI
handling (aka redirects, prepopulating fields, marketing metrics) I
think you are safe.
HTH,
http://danconia.org
| |
| David Dorward 2005-08-24, 6:55 pm |
| On Wed, Aug 24, 2005 at 02:12:56PM -0700, Denzil Kruse wrote:
> I want to know the web site that someone came from,
> and so I was planning on reading $ENV{'HTTP_REFERER'}
> to figure it out. How reliable is that?
Reliable enough for general interest and for finding some sites with
links to moved pages on your site. Not reliable enough to depend on.
> Do browsers or other situations block it or obfuscate it?
Often. Its an optional header, isn't supposed to be sent when arriving
from an https page, and is munged by a goodly number of personal
"firewalls".
> Is there another way to do it
No
--
David Dorward http://dorward.me.uk
|
|
|
|
|