Which all $_server are enabled

hi all

i have searched a lot and found that $_SERVER[‘HTTP_REFERER’] can be disabled or can be spoofed.

so does this same applies to all other $_server variables ?

Is there any $_server variable which cannot be disabled and is available all the time ?

vineet

$_SERVER are server variables, so pretty much every variable could be different in that array, considering the wide variety of web servers: Apache, Nginx, Lighthttpd just to name a few…

hi feketegy

my website is hosted on linux server

so i wanted to use $server http referer to get url of previous page.

but everyone say it its not reliable.

so i thought of using another $server variable to fetch previous page url

that is why i asked if it is fine to use any other $server variable instead of http_referer

vineet

I have just ran some brief tests using $_SERVER[“HTTP_REFERER”] variable and it works fine but also produces an error if there was not a previous page.

Try the following and see what specific Linux Server variables are shown for different scenarios.



 ...
 ...
 ...
 <pre style='width:88%; margin:3em auto; color:#f00; background-color: pink;'>
    <h3>$_SERVER;</h3>
    <?php 
           print_r( $_SERVER );

          // if set could also be interesting
          if( isset($_SESSION) )
          {
             echo '<h3>$_SESSION</h3>';
             print_r( $_SESSION );
          }
     ?>
 </pre>
 <body>
 </html>


hi john

HTTP_REFERER works fine in my browser.

There are tools available by which user can disable http_referer in their browser

So i wanted to know whether they can disable other $_server variables also ?

vineet

Hi Vineet,

The HTTP_REFERER server variable is not set the first time your site is called from the browser command line. It is only set when called from another web page. If you do not test for the variable, using isset( $_SESSION[‘HTP_REFERER’] ) then an error will be produced.

Did you run the supplied script?

hi john

i uploaded this code on 2 different hosting accounts


<?
print_r( $_SERVER );
?>

and they both didnot echo $_server[HTTP_REFERER’]

it means http_Referer is not available on both hosting accounts.

strange to know

vineet

I am most surprised the two hosts are not showing the HTTP_REFERER serveer variable.

Does HTTP_REFERER show on your localhost?

Are then any other server values you can use?

Have you checked your web stats because they should show the referring pages.

Can you use session variables?

hi john

no, its not shown when i print_r($_server).

but when i go from one page to another then $_server[http_referer] echoes previous page url correctly.

vineet

That is exactly how HTTP_REFERER works. You won’t get it on the initial page load, but subsequent page interactions “should” contain it. Granted, it can be spoofed (just like most SERVER, GET, POST, and REQUEST variables can be spoofed). So you shouldn’t rely on it, and you should ALWAYS validate it before using it.

hi cp

so instead of referer, if i use sessions then what value should i insert in the $_session

vineet

On each page load, you will check if the session variable exists, and read it, then you will write the current page URL into the session.

Something along the lines of

<?php
  session_start();
  if (isset($_SESSION['REFERER']))
  {
    define('REFERER', $_SESSION['REFERER']);
  }
  $_SESSION['REFERER'] = $_SERVER['PHP_SELF'];
?>

You can then access the REFERER using (again after checking it is set)

echo REFERER;

hi cp

please correct me if i m wrong.

normally i declare sessions first and then write isset statement


$_SESSION['user'] = $_request['user'];
if(isset($_SESSION['user']))
{
do something
}

but in your code you did the isset() first and then declare


 <?php
  session_start();
  if (isset($_SESSION['REFERER']))
  {
    define('REFERER', $_SESSION['REFERER']);
  }
  $_SESSION['REFERER'] = $_SERVER['PHP_SELF'];
?>

i just want to clear my confusion

vineet

If you write to it before it exists or before reading it, then you can never get the referring page because you just overwrote that value. So you have to read it first and then write to it.

thanks cp

for clearing the doubt

vineet

If you have control over the web server than you can configure it to pass that variable…