[EMAIL PROTECTED] (Chris Shiflett) wrote: >--- Scott Fletcher <[EMAIL PROTECTED]> wrote: >> Many PHP programmer tried to their best to use >> HTTP_REFERER so they can keep track of which >> webpages on the current website did the user >> last visited. > >I think I see what you are referring to now. > >The reason that many people (myself included) discourage >the use of REFERER for this purpose is not only because >support is inconsistent, but also because it is not >required that a Web client send this header. In fact, the >only required header in the latest version of HTTP (1.1) is >the Host header. So, it really boils down to not depending >on something that is not guaranteed to be there.
It even dangerous to rely on HTTP_REFERER because it's not under your control. The client could set the HTTP headers itself (e.g. a php script using CURL, www.php.net/curl). You should at least combine the REFERER check with a valid session on your host or look for a corresponding log entry or something alike. Christoph -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
