Relying on $_SERVER[‘HTTP_REFERER’] is bad

  • acidstout

    (@acidstout)


    6 years ago

    I noticed WPGlobus assumes that $_SERVER[‘HTTP_REFERER’] is always set. This may be true for most scenarios, but does not take edge-cases into account and spams the log file. Also relying on a referer is bad, because:

    • it’s easy to manipulate
    • some users might have their browsers configured to not send a referer
    • it’s not accessible over HTTPS (e.g. especially if the plugin HTTP Security is used)
    • some proxies strip the header
    • it will be empty if the user entered the site URL in browser address bar itself, visited the site by a bookmark or as first page in the window/tab.

    A reliable way to check where the user is coming from is to store the current page name in a session.

    • This topic was modified 6 years ago by acidstout.
    • This topic was modified 6 years ago by acidstout.
  • The topic ‘Relying on $_SERVER[‘HTTP_REFERER’] is bad’ is closed to new replies.