Is it possible to check who is entering your website in PHP. I have a web application ( written in PHP) that should only allow users entering from some particular websites. Is it possible to get the referral websites by examining the _Request object? If yes, how?
Yes, but keep in mind some proxies and other things strip this information out, and it can be easily forged. So never rely on it. For example, don't think your web app is secure from CSRF because you check the referrer to match your own server.
$referringSite = $_SERVER['HTTP_REFERER']; // is that spelt wrong in PHP ?
If you want to only allow requests from a specific domain you'll need to parse some of the URL to get the top level domain. As I've learned more, this can be done with PHP's parse_url().
As andyk points out in the comments, you will also have to allow for www.example.com and example.com.
While you can look at $_SERVER['HTTP_REFERER'] to get the referring site, don't bet the farm on it. The browser sets this header and it's easily spoofed.
If it's critical that only people coming from specific referrers view your site, don't use this method. You'll have to find another way, like basic auth, to protect your content. I'm not saying that you shouldn't use this technique, just keep in mind that it's not fool-proof.
BTW, you can also block referrers at the apache level using mod_rewrite.
You cannot trust the referrer. Despite coming from the $_SERVER array, it is actually a user/browser supplied value and is easily faked, using such things as the Firefox RefControl addon.
You need to examine the $_SERVER array for the 'HTTP_REFERER' key.
Related
How to track users origin in PHP , i see people using this ref= often i don't have any idea how does this get request works .
My code
$calling_url = mysql_real_escape_string($_SERVER['HTTP_REFERER']);
URL:
http://example.com/index.php?ref=http://externalsite.com/page.html OR
http://example.com/index.php?ref=http%3A%2F%2Fexternalsite.com%2Fpage.html
PHP:
$ref = mysql_real_escape_string(rawurldecode($_GET["ref"]));
// $ref will be "http://externalsite.com/page.html" in both cases
Resources for URL tracking:
Using Referrer URLs to Better Understand Your Visitors
Referrers and Search Engines tracking
Alternative for $_SERVER['HTTP_REFERER'] PHP variable
Without knowing more about what you're trying to achieve.
If users are coming from outside your site, the best bet is to use HTTP_REFERER. If someone asks your server for a page, you'll have to take their word for it as far as the referrer is concerned. Whether that's in the URL or in the browser. If they don't want to tell you, you can't make them.
Even though it's not that reliable it's going to be more reliable than depending on someone else's application. Unless there is a transaction involved that would encourage the referrers to format the url correctly.
If users are moving around within your own site. You can use the ref= strategy, or you can use session variables.
This may have a simple answer (and I hope it does) but looking online I only found examples of how to get the current URL/Domain. No where could I find how to get that of the incoming http requst.
My set up is a REST api that handles the typical GET/POST/DELETE/PUT requests. I have to return domain information for clients about the domain they're pulling from. Hence, if a client using my CMS clicks on info, he must receive info about the domain he is logged into (and thus sending the request from).
I chose not to add code here, seeing as my question pertains less to actual code as it does to methodology. Thanks in advance for any and all answers!
In Internet every address could be faked (VPN, proxies etc). It's one of fundamental principles of the network.
You will never could detect with 100% warranty, so the maximum what You could have is $_SERVER['HTTP_REFERER'] and $_SERVER['REMOTE_ADDR'].
You could make additional verification for it's existence before to save/process it, but it could cost some additional performance of Your server.
If Your aim is to provide some additional access rules to some methods / data, You should use an other verification mechanism (tokens, passwords etc).
print_r($_SERVER);
may be it'll useful for you
It sounds as though you're looking for the HTTP referer, accessible in PHP through $_SERVER['HTTP_REFERER'].
As far as I know, there are no reliable ways to determinate the domain where a request comes from. Maybe you could check the client's IP address and/or the HTTP referer and match it to a set of domains,... but that wouldn't be 100% safe in my opinion.
How about implementing an (optional) parameter for your API calls, which has to be the domainname?
I ended up defining a key constant in an external php file that I will deliver to the client within the CMS. (Already have a bunch of constants anyway).
On the server side I put the key in the database and compare these keys on every request. This is not fool proof but I realized I could use the key for other functions aswell and so I implemented it anyway.
Using this combined with various other security checks I found it unnecessary to have to track the request domain. Thanks for the responses guys!
Im using single sign on solutions from jahrain. basically, i want to detect users coming from (facebook, yahoo, google, myspace, live/hotmail, openid) domains. then if not logged in. redirect to a webpage intended for these visitors. im using php.
While this is not foolproof, a common way to do this is by examining the $_SERVER['HTTP_REFERER'] environment variable, which is generally sent by the browser as a header.
That said, note the things from this thread: Determining Referer in PHP
Look at $_SERVER['HTTP_REFERER'].
This is an optional HTTP header the client may or may not set, so it's not guaranteed to be correct, trustworthy or to be there at all, but it's your only choice.
I have several domains that point to the same site, some of them ending in ".br" (domain for Brazil, thus for portuguese speakers)
I want to detect from what domain the person came (.br or not) and load the correct landuage...
I can use PHP, JavaScript or standard HTML/CSS etc... How I do it? (and with what?)
On the server side, use the HTTP_HOST variable which is basically the Host header and a fool-proof way of checking the host the request was sent to.
$_SERVER['HTTP_HOST']
See this question for a nice comparison between SERVER_NAME and the HTTP_HOST variables.
On the client side, use document.domain. For this page - https://developer.mozilla.org/en/document.domain, the value of document.domain is
"developer.mozilla.org"
$_SERVER['HTTP_REFERER'] should get that information. But this is not a sure fire way. Some people have the referrer turned off or spoofed in their browsers etc. This is the only way that I would know how, unless you can append get data to the urls on the domain to set the language etc. Then you just check for that get data.
If you are on PHP5.3+ you can use
Locale::acceptFromHttp — Tries to find out best available locale based on HTTP "Accept-Language" header
If not, you can still determine it from Accept-Language header yourself. Using the Accept Header should be somewhat more reliable than using the TLD, especially if you also need to use any of the other intl extensions.
Is it possible to find out where the users come from? For example, I give a client a banner, and the link. The client may put the banner/link to any website, lets say to a site called www.domain.com.
When the user click the banner, is it possible to know where he coming from(www.domain.com)?
Have a look at the HTTP_REFERER variable. It will tell you what site the user was on before he came to your site.
Yes. You give the client a unique URL, like www.yourdomain.com/in/e10c89ee4fec1a0983179c8231e30a45. Then, track these urls and accesses in a database.
The real problem is tracking unique visitors.
See
$_SERVER["HTTP_REFERER"]
Although that can't always be trusted as it's set by the client but you may not care in your case.
In some scenarios, $_SERVER["HTTP_REFERER"] will only work when php (php.ini) is configured with register_globals bool configured to on.
Register globals can allow exploitation in loosely coded php applications. Commonly in apps that allow users to post data.
I have used the following method in the past to check referrers in applications where I controll the operator input.
session_start();
if(!isset($_SESSION['url_referer']))
{
$_SESSION['url_referer'] = $_SERVER['HTTP_REFERER'];
}
Without hashing strings in session variables, I do not know of a more efficient practice. Does anyone know the best practices?
Finest Regards,
Brad
The only chance is that you use a unique ID (as pointed out by gnud). This ay you can track the incomming links. Referrer may be altered/removed from browsers or proxies (many companies do that).
Using the IP to track unique visitors is a bad idea. AOL still pools the IPs and you might use different IPs every few minutes and with proxys yiur counting will be not very accurate.
I'd say, go with the unique ID.