views:

58

answers:

4

Is there a way to interrogate a request to determine the method of navigation ?

(using a LAMP configuration, PHP)

In other words... I would like to know whether the entry was hand typed into the address bar, or a link/bookmark was used.

+3  A: 

You can check the $_SERVER['HTTP_REFERER'] variable which will contain the URL the person has navigated from. I'm not sure what happens if they choose a bookmark or enter the URL manually, though I suspect that this variable would be blank.

Though, as it says in the manual:

The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.

nickf
+2  A: 

Reliably, you can not.

One method you could try is referer headers (which is how it's spelled in the spec), usually sent by the browser to indicate where the user is coming from. In PHP, this is available in $_SERVER['HTTP_REFERER'].

Most modern browsers (I've tested Google Chrome and Firefox) send a referer header on link clicks and not on direct entry - that is, if the user's settings say to, which they usually do by default.

Another option, depending on just how much you really care, is to append some sort of randomly-generated session variable to the URL in the link and, on receiving a request, see if the token in the URL matches the token in the user's session. If so, there you go. If not, this link was copy-pasted.

Of course, all of these methods can easily be beaten, and your server can be fooled. Don't depend on them.

Matchu
Right on. Great Info. It is actually for both, presentation and authentication purposes.
eleete
If you actually want to authenticate, then, and secure it to some extent, you will need to append some secret, per-user key to the URL. That is the only 100%-reliable way.
Matchu
+1, the only way to be sure is to use some sort of ever-changing key (probably stored in the session) to validate that a link was clicked. The key should be regenerated each time the page is viewed, but something as simple as a short hash of the time + the user's IP should suffice.
Dereleased
It's exceptionally easy to spoof a referer for any given request; do not rely upon it for any kind of authentication. http://en.wikipedia.org/wiki/Referrer_spoofing
Joe
The other day I used it to put nonsense search queries in someone's Wordpress "how people got to my blog" results. It was fun :)
Matchu
A: 

If they click a link the browser will set a referrer, you could detect the presence of a referrer header by using

$_SERVER['HTTP_REFERER'] 

and checking to see if that has been set. If it's blank the person has either typed in the URL or has a browser extension to clear referrers. It's about as close as you'll get to a solution on this one.

linead
A: 

About all you can do is look at the $SERVER['HTTP_REFERER'] [sic]. If you were directly linked, there is a good chance you will find the URL of the page that linked to you there. There are many circumstances where you won't get it though, so you can't rely on it.

In IE it is possible to detect when you are loaded from a bookmark, if you previously used a saveFavorite behaviour to persist some data before the user bookmarked you. But it's pretty ugly.

bobince
does that work on email links, in all the email clients ? or at least Thunderbird, Outlook, Eudora ?
eleete
Probably not, since mail clients don't exactly have a URL to put in the referer.
Matchu
No. But when you send mail, it's common to include a `?parameter=something` part in the URL to indicate that the link came from e-mail.
bobince