EllisLab text mark
Advanced Search
     
https referer
 
vile
Posted: 01 October 2008 06:22 AM   [ Ignore ]
Avatar
Joined: 2007-11-20
69 posts

hi,

why is it that when the referrer came from a https the $_server[‘http_referer’] is empty but if it came from http its working? thanks

 Signature 

Philippines scam and modus operandi awareness
 
Phil Sturgeon
Posted: 01 October 2008 07:41 AM   [ Ignore ]   [ # 1 ]   [ Rating: 0 ]
Avatar
Joined: 2007-06-11
2985 posts

Must be a security thing? Keeps your online secure history secret from the next server you visit.

 Signature 

————————
Blog | Twitter | GitHub | BitBucket
————————-
PyroCMS - open source modular CMS built with CodeIgniter
PancakeApp - Simple, hosted invoicing/w project management
 
GSV Sleeper Service
Posted: 01 October 2008 08:05 AM   [ Ignore ]   [ # 2 ]   [ Rating: 0 ]
Avatar
Joined: 2008-03-13
515 posts

from the PHP manual.

‘HTTP_REFERER’
  The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.

also, are you using IE?
http://support.microsoft.com/kb/178066

 Signature 

:wq
 
vile
Posted: 01 October 2008 09:09 AM   [ Ignore ]   [ # 3 ]   [ Rating: 0 ]
Avatar
Joined: 2007-11-20
69 posts

is there any way i can get http_referer from https? thanks for fast reply

 Signature 

Philippines scam and modus operandi awareness
 
GSV Sleeper Service
Posted: 01 October 2008 09:23 AM   [ Ignore ]   [ # 4 ]   [ Rating: 0 ]
Avatar
Joined: 2008-03-13
515 posts

not reliably, no. some proxies strip out the referer, and you can tell firefox (and possibly other browsers) not to send referers.

 Signature 

:wq
 
vile
Posted: 01 October 2008 11:16 PM   [ Ignore ]   [ # 5 ]   [ Rating: 0 ]
Avatar
Joined: 2007-11-20
69 posts

ok thanks.

 Signature 

Philippines scam and modus operandi awareness
 
Frank Berger
Posted: 02 October 2008 02:36 AM   [ Ignore ]   [ # 6 ]   [ Rating: 0 ]
Avatar
Joined: 2008-09-07
48 posts

The http RFC states for this:

Clients SHOULD NOT include a Referer header field in a (non-secure) HTTP request if the referring page was transferred with a secure protocol.

see here:
http://www.w3.org/Protocols/rfc2616/rfc2616-sec15.html#sec15.1.3

That means that if you switch from a https: link to a http: link, no referer will be set by any browser. Furthermore, in Mozilla based browsers (Netscape, Firefox and so on) it is a configurable setting if referer is set between https: and https: links:
http://kb.mozillazine.org/Network.http.sendSecureXSiteReferrer

I suppose other clients have similar rules put in, besides the fact that most have the general setting of a referer as a optional setting. I suppose as well that the private/porn modes in Safari, IE8 and Googles new browser wont set a referer as well.

The short and ugly is, as stated above, don’t use/rely on referer. I don’t think i used that header since like 1999 in any of my applications/websites and was able to do all i needed to do.

cheers
Frank
 
Colin Williams
Posted: 02 October 2008 02:51 AM   [ Ignore ]   [ # 7 ]   [ Rating: 0 ]
Avatar
Joined: 2006-07-27
2617 posts

Good stuff, Frank. If you need to communicate something from a secured section to a non-secure section, use sessions.

 Signature 

Check out the Template Library
Oh yeah, I tweet, too (regarding CodeIgniter on occassion).
 
kimme
Posted: 02 November 2012 06:34 AM   [ Ignore ]   [ # 8 ]   [ Rating: 0 ]
Joined: 2012-10-09
10 posts

$_SERVER is an array which contain information. This information is related to the headers, paths, and script locations. Entries of the array is created by the web server.Through the use of a command-line tool and IIs HTTP/HTTPS settings are configured. Command-line tool is use when a WCF service is self-hosted.

 

 

 Signature 

smile