Is it possible to check who is entering your website in PHP. I have a web application ( written in PHP) that should only allow users entering from some particular websites. Is it possible to get the referral websites by examining the _Request object? If yes, how?
views:
1421answers:
5
+7
A:
Yes, but keep in mind some proxies and other things strip this information out, and it can be easily forged. So never rely on it. For example, don't think your web app is secure from CSRF because you check the referrer to match your own server.
$referringSite = $_SERVER['HTTP_REFERER']; // is that spelt wrong in PHP ?
If you want to only allow requests from a specific domain you'll need to parse some of the URL to get the top level domain. As I've learned more, this can be done with PHP's parse_url().
As andyk points out in the comments, you will also have to allow for www.example.com and example.com.
alex
2009-01-09 02:20:12
might want to take extra caution, though, since you probably need to allow both www.example.com and example.com since it is, in most cases, the same thing. Not to mention that HTTP_REFERER is not really trustable.
andyk
2009-01-09 02:27:02
from the php manual, "This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted."
andyk
2009-01-09 02:28:07
Yeah I know it can't be trusted.
alex
2009-01-09 02:31:38
Referer is spelled wrong in the RFC, thus in all of HTTP land it is Referer instead of Referrer
Rob
2009-01-09 02:36:09
yup, made a mistake once by going HTTP_REFERRER instead. Took me a while to figure out what's wrong. :-s
andyk
2009-01-09 03:02:11
@andyk: That's why I love code highlighting especially PHP specific.. oh and by the way I'm visiting Indo in the next week!
alex
2009-01-09 04:00:29
@alex happy vacation! Hmm.. I'm still expecting to see some non-HTTP_REFERER answers here. Would love to see those.
andyk
2009-01-09 06:04:11
@andyk The problem could be addressed with login/hash/communication between the 2 sites. I'll bring a umbrella for Bali :)
alex
2009-01-09 06:17:57
@alex would get pretty confusing though, for more sites. More importantly, it's impossible to do that when you got no control over nothing except your own website.
andyk
2009-01-09 08:00:07
+3
A:
While you can look at $_SERVER['HTTP_REFERER'] to get the referring site, don't bet the farm on it. The browser sets this header and it's easily spoofed.
If it's critical that only people coming from specific referrers view your site, don't use this method. You'll have to find another way, like basic auth, to protect your content. I'm not saying that you shouldn't use this technique, just keep in mind that it's not fool-proof.
BTW, you can also block referrers at the apache level using mod_rewrite.
Gary Richardson
2009-01-09 05:06:03
+2
A:
Your should first check if there is a referrer. Then you can parse the referrer using parse_url() to get the host part. Finally you can use a regular expression to check if the host is allowed.
$referrerIsValid = false;
$hasReferrer = false;
if (isset($_SERVER['HTTP_REFERER'])) {
$parts = parse_url($_SERVER['HTTP_REFERER']);
if (isset($parts['host'])) {
$hasReferrer = true;
$referrerIsValid = (bool) preg_match('/(?:^|\.)example\.com$/', strtolower($parts['host']));
}
}
Gumbo
2009-01-09 14:23:55
+1
A:
You cannot trust the referrer. Despite coming from the $_SERVER array, it is actually a user/browser supplied value and is easily faked, using such things as the Firefox RefControl addon.
R. Bemrose
2009-01-09 14:29:31