I have several domains that point to the same site, some of them ending in ".br" (domain for Brazil, thus for portuguese speakers)
I want to detect from what domain the person came (.br or not) and load the correct landuage...
I can use PHP, JavaScript or standard HTML/CSS etc... How I do it? (and with what?)
On the server side, use the HTTP_HOST variable which is basically the Host header and a fool-proof way of checking the host the request was sent to.
$_SERVER['HTTP_HOST']
See this question for a nice comparison between SERVER_NAME and the HTTP_HOST variables.
On the client side, use document.domain. For this page - https://developer.mozilla.org/en/document.domain, the value of document.domain is
"developer.mozilla.org"
$_SERVER['HTTP_REFERER'] should get that information. But this is not a sure fire way. Some people have the referrer turned off or spoofed in their browsers etc. This is the only way that I would know how, unless you can append get data to the urls on the domain to set the language etc. Then you just check for that get data.
If you are on PHP5.3+ you can use
Locale::acceptFromHttp — Tries to find out best available locale based on HTTP "Accept-Language" header
If not, you can still determine it from Accept-Language header yourself. Using the Accept Header should be somewhat more reliable than using the TLD, especially if you also need to use any of the other intl extensions.
Related
I am curious to know if detecting the visitor browser with client-side script is more reliable than server-side script?
It is easy and popular to get the visitor browser both by PHP and Javascript. In the former one, we analyze $_SERVER['HTTP_USER_AGENT'] sent by the header array. However, header is not always reliable. Can Javascript be more reliable as it get the visitor browser from the visitor's machine?
I mean is it possible to miss the USER AGENT in header and get the browser by javascript?
UPDATE: Please do not introduce methods such as jQuery as I am familiar with them. I just want to know if it's possible for header's user agent to fail when javascript still can detect browser? Comparison of client-side and server-side methods.
The User-Agent can be tested server side or client side, either way it can be spoofed.
You can finger print the browser with JavaScript (seeing what methods and objects the browser provides) and use that to infer the browser, but that is less precise and JavaScript can be disabled / blocked / edited by the client.
So neither is entirely reliable.
It is generally a bad idea to do anything based on the identify of the browser though.
OK. So User-Agent header is not required by RFC
User agents SHOULD include this field with requests.
https://www.rfc-editor.org/rfc/rfc2616#section-14.43
Which means the server side detection is not guaranteed.
Similarly client side detection typically relies on navigator.userAgent but that is also provided by the user agent (browser or what not) and similarly cannot be guaranteed.
Thus the answer to your question is 50/50 :)
Now, if you are trying to figure out how to handle different browsers - feature detection is your safest bet here - but that's a different question ;)
I would just use the server side detection.
If a user wants to mask their browser, their browser will likely be masked on both ends.
If you want to find out their browser for HTML compatibility, they should be expecting mildly broken pages if they've masked their browser (but you should always try your best not to have browser specific HTML). If it's for javascript compatibility, they should also be expecting some broken javascript.
Take a look at $.browser() in jquery
A different angle: why do we want to detect the browser?
In the case of analytics, there isn't much you can do really. Anyone that does a little research can send whatever user agent string they like, but who's going to go through all the trouble ;)
If we're talking about features to enable/disable on a website, you should really be going for feature detection. By focusing on what the browser can/can't do, instead of what it calls itself, you can generally expect that browser to perform whatever action reliably if the feature you need is present.
More info: http://jibbering.com/faq/notes/detect-browser/
One big advantage to use client-side javascript is that you can get much more information about the browser.
Here is an interesting example: https://panopticlick.eff.org/
This may have a simple answer (and I hope it does) but looking online I only found examples of how to get the current URL/Domain. No where could I find how to get that of the incoming http requst.
My set up is a REST api that handles the typical GET/POST/DELETE/PUT requests. I have to return domain information for clients about the domain they're pulling from. Hence, if a client using my CMS clicks on info, he must receive info about the domain he is logged into (and thus sending the request from).
I chose not to add code here, seeing as my question pertains less to actual code as it does to methodology. Thanks in advance for any and all answers!
In Internet every address could be faked (VPN, proxies etc). It's one of fundamental principles of the network.
You will never could detect with 100% warranty, so the maximum what You could have is $_SERVER['HTTP_REFERER'] and $_SERVER['REMOTE_ADDR'].
You could make additional verification for it's existence before to save/process it, but it could cost some additional performance of Your server.
If Your aim is to provide some additional access rules to some methods / data, You should use an other verification mechanism (tokens, passwords etc).
print_r($_SERVER);
may be it'll useful for you
It sounds as though you're looking for the HTTP referer, accessible in PHP through $_SERVER['HTTP_REFERER'].
As far as I know, there are no reliable ways to determinate the domain where a request comes from. Maybe you could check the client's IP address and/or the HTTP referer and match it to a set of domains,... but that wouldn't be 100% safe in my opinion.
How about implementing an (optional) parameter for your API calls, which has to be the domainname?
I ended up defining a key constant in an external php file that I will deliver to the client within the CMS. (Already have a bunch of constants anyway).
On the server side I put the key in the database and compare these keys on every request. This is not fool proof but I realized I could use the key for other functions aswell and so I implemented it anyway.
Using this combined with various other security checks I found it unnecessary to have to track the request domain. Thanks for the responses guys!
I have a small search engine site and I was wondering if there was any way of displaying my site in the users language. I am looking for an inventive and quick way that can also reside on just one URL.
I hope you can understand my question.
You could use the HTTP header "Accept-Language", to detect which languages the user has choosen as its prefered ones, in his browser.
In PHP, this will be available (if sent by the browser) in $_SERVER, which is an array that contains (amongst other things) HTTP headers sent by the client.
This specific header should be available as $_SERVER['HTTP_ACCEPT_LANGUAGE'].
I am assuming you already have different versions of the site in various languages. Most sites seem to just ask the user what their language is and then save that in a cookie. You can probably guess a users language using an ip to location tool.
You are probably more interested in this though: http://techpatterns.com/downloads/php_language_detection.php. This php script allows you to detect the users language based on info sent from their browser. It might not be completely accurate though, so you should always have an option to switch the language.
If you don't have translations of your page, you can redirect users to a google translate page.
There is a really easy solution for this. Just use Google's Translate Elements JS addon. You drop the JS on the page and Google takes care of the rest.
http://translate.google.com/translate_tools
The only downside is that they cannot fully interact with the site using this. By that I mean they cannot input something in their own language and you get back the input in yours. Also searches will have to be done in the sites native language. So really this just depends on what you are trying to accomplish here.
You could use a script which checks for a language cookie.
If language-cookie is set, you can use that value for using the right language-vars,
if not you find out the users current language by a way, you prefer. I think there are lot of ways, dont know which is the best.
Additional you would place a form somewhere on the site, where the user can klick a language, and u give that by post to a script which then sets a cookie, or overwrites the current cookie, if there is one allready.
This method obviously works with one url for all your languages, which i think is quite nice about it...
Im using single sign on solutions from jahrain. basically, i want to detect users coming from (facebook, yahoo, google, myspace, live/hotmail, openid) domains. then if not logged in. redirect to a webpage intended for these visitors. im using php.
While this is not foolproof, a common way to do this is by examining the $_SERVER['HTTP_REFERER'] environment variable, which is generally sent by the browser as a header.
That said, note the things from this thread: Determining Referer in PHP
Look at $_SERVER['HTTP_REFERER'].
This is an optional HTTP header the client may or may not set, so it's not guaranteed to be correct, trustworthy or to be there at all, but it's your only choice.
Is it possible to check who is entering your website in PHP. I have a web application ( written in PHP) that should only allow users entering from some particular websites. Is it possible to get the referral websites by examining the _Request object? If yes, how?
Yes, but keep in mind some proxies and other things strip this information out, and it can be easily forged. So never rely on it. For example, don't think your web app is secure from CSRF because you check the referrer to match your own server.
$referringSite = $_SERVER['HTTP_REFERER']; // is that spelt wrong in PHP ?
If you want to only allow requests from a specific domain you'll need to parse some of the URL to get the top level domain. As I've learned more, this can be done with PHP's parse_url().
As andyk points out in the comments, you will also have to allow for www.example.com and example.com.
While you can look at $_SERVER['HTTP_REFERER'] to get the referring site, don't bet the farm on it. The browser sets this header and it's easily spoofed.
If it's critical that only people coming from specific referrers view your site, don't use this method. You'll have to find another way, like basic auth, to protect your content. I'm not saying that you shouldn't use this technique, just keep in mind that it's not fool-proof.
BTW, you can also block referrers at the apache level using mod_rewrite.
You cannot trust the referrer. Despite coming from the $_SERVER array, it is actually a user/browser supplied value and is easily faked, using such things as the Firefox RefControl addon.
You need to examine the $_SERVER array for the 'HTTP_REFERER' key.