My service might use referer information to tell from what web site a request is done, and I would like to make sure there is no way to fake the referer information.
+1
A:
It's easily spoofed, so I wouldn't rely on it for anything important.
Jim Lewis
2010-10-10 04:30:35
+1
A:
The client is free to send you what ever data it wants. You should -never- trust what the browser sends.
Andrew Barber
2010-10-10 04:30:51
+2
A:
It is possible. There's nothing you can do to prevent browsers from faking that data.
Michael Petrotta
2010-10-10 04:31:01
+2
A:
There are many ways to fake any information sent by the client. The most basic rule of accepting information from a client is: don't trust the client.
Ever.
Browsers can fake, among many others, their User-Agent string and referrer (the proper spelling, the PHP function is about the most prolifically perpetuated typo going).
David Thomas
2010-10-10 04:31:17
Actually, the original source of the typo is in the HTTP spec. Can't blame this one on PHP.
Asaph
2010-10-10 04:42:32
Here is a link to the HTTP spec with the typo. -- http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.36
Asaph
2010-10-10 04:51:26
@Asaph, seriously? I'd never really thought to check *past* PHP's typo. All those years of cursing mis-directed...gosh, do I feel silly, now. =/
David Thomas
2010-10-10 05:05:38
Yeah... The HTTP Spec is a horrible reminder to double DOUBLE check everything before setting it in stone. Now I don't know how to spell the damn word, because I can never remember which is which!
Paul McMillan
2010-10-10 06:00:24
@Paul, I wonder if, now, the authors look back at that and just face-palm...
David Thomas
2010-10-10 06:03:49