views:

2918

answers:

4

Often, when searching for answers, I have found that certain websites will allow you to read the information they offer if the referer is, for example, google.com. Yet, if you link directly to the information, it will be unavailable.

What I am looking for is the smallest PHP script that will set a referer of my choice, and a destination, like so:

http://example.com/ref_red.php?referer=http://google.com/&end=http://example.net/

Notes:

  • ref_red.php is the name of the script on my example.
  • referer and end should accept http, https, ftp.
  • referer and end can contain an URI of any type, as simple as http://end.com or as complicated as: http://example.com/some/rr/print.pl?document=rr, for example.

NOTE: As recommended on a reply, I am adding this. The script isn't a full proxy per se. Only initial HTTP request would be proxied (not subsequent requests like images,etc) for the sole purpose of setting the referer.

A: 

The referer is set by your browser, not by any server side mechanism. You could, I guess, construct a proxy in PHP that makes the request of the remote server and sets the referer header appropriately. It seems more useful to just use a Firefox plugin, e.g. http://www.stardrifter.org/refcontrol/.

Edit: I'd reword your question to make it clear you want to write a PHP proxy, with a custom referrer header. I'd probably just modify something like http://sourceforge.net/projects/poxy/ to take the referrer parameter and pass it on.

Edit again: You may be clear on what you're asking, but asking for the impossible doesn't make it possible. The browser is responsible for setting the referrer header; it uses the URI that caused it to redirect to a new resource. You're asking for a script that says "Please visit http://example.net, but pretend that I'm actually www.foo.com when you do so". There is no mechanism for the server to instruct the browser to "lie" about where it came from.

I suppose it may be possible via some convoluted JavaScript hacking, but it would be hacking in the black hat sense - a web site being able to force a browser to spoof the referrer would be a real security hole.

Adam Wright
I completely understand that the referer is set by the client. The script I am after will be *that* client, and set the specified referer. A Firefox plugin is not an option, since I want to use such script on public links.
David Collantes
@Adam, I am very clear on what I am asking, and the expected behavior. It might perform a function that some proxies perform, but it isn't a proxy per se. All I am looking for is a redirect script, written on PHP, that will also set the Referer header.
David Collantes
@David I believe you are misunderstanding the mechanism of a redirect. In this case when your script sets the referrer it does it on the request to the link, it would then need to either serve that information back to the client, and thus not performing a redirect at all it would be proxying all information through itself, or it would redirect the client to the link, thus destroying the whole referrer hiding. Even if the script only partially proxied content, the referrer would still be sent for images/CSS/JS etc.
Wesley Mason
@Wesley, I added a note to the question, to further clarify. Thanks!
David Collantes
A: 

You can use one of the services available on Internet which allow hiding referrers (by setting their address), but you cannot impose a specific referrer that ain't the actual referrer. The user must actually be redirected to that website (which will appear as a referrer) before he is redirected to the target website.

One of such services: http://linkanon.com

edit:

Since you changed your question now, my comment about writing a user agent in PHP which acts like a proxy, applies, but then this gets close to a criminal activity, because you will be displaying a third party website to a user who might think that she is in the actual website, while in fact she will have loaded your content (the content you have passed on). To perform this close-to-criminal activity (you are one step away from trying to read a username and password), you load the third party's website content with PHP by using your own written user agent which specifies the fake referrer and simply passes the output to visitor of your website. The function in PHP which lets one send HTTP headers, is header($header):

header("Referer: http://example.org");

Instead of shouting at people who try to help, you could try to read HTTP (that's the protocol according to which the world turns around) specification regarding Referer header: http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html (See Section 14.36).

You also might want to read http://en.wikipedia.org/wiki/Referrer_spoofing where you can see that it's all about client side. PHP is server side. All you can do is try to write a client code (Javascript) generated by PHP, but if you have any luck, then you're breaking into user's world.

zilupe
You assertion is incorrect. Setting a referer is completely possible and the link you provided (although I would rather not use it) just proves it.
David Collantes
Yes, it is possible with something like a Firefox plugin, but not like you store a script on your website which hacks into your visitor's browser. You can write a "browser" in PHP which does that thing, but I suppose you don't want to do that.
zilupe
"Hack into your visitor's browser"? What are you talking about? Seriously. Just read my entry again, think it carefully (if you really care), and come back.
David Collantes
+4  A: 

this function should give you a starting point it will fetch any http url with the specified referrer

handling the query parms should be pretty trivial, so i will leave that part for you to do

<?php

    echo geturl('http://some-url', 'http://referring-url');

    function geturl($url, $referer) { 

     $headers[] = 'Accept: image/gif, image/x-bitmap, image/jpeg, image/pjpeg'; 
     $headers[] = 'Connection: Keep-Alive'; 
     $headers[] = 'Content-type: application/x-www-form-urlencoded;charset=UTF-8'; 
     $user_agent = 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)'; 

     $process = curl_init($url); 
     curl_setopt($process, CURLOPT_HTTPHEADER, $headers); 
     curl_setopt($process, CURLOPT_HEADER, 0); 
     curl_setopt($process, CURLOPT_USERAGENT, $useragent);
     curl_setopt($process, CURLOPT_REFERER, $referer);
     curl_setopt($process, CURLOPT_TIMEOUT, 30); 
     curl_setopt($process, CURLOPT_RETURNTRANSFER, 1); 
     curl_setopt($process, CURLOPT_FOLLOWLOCATION, 1); 

     $return = curl_exec($process); 
     curl_close($process); 

     return $return; 
    } 

?>
bumperbox
This works like a charm. Thanks!
David Collantes
A: 

You might also find this thread useful if you wish to learn how to fake the referer with php.

Ian Roberts