Results 1 to 3 of 3

Thread: Is ['HTTP_REFERER'] dangerous, if I use a array of predefined URL's for validation?

  1. #1
    Join Date
    Jan 2012

    Is ['HTTP_REFERER'] dangerous, if I use a array of predefined URL's for validation?


    I am doing a login page for my application. When a user wants to go to "myaccount.php" but he's not logged in, he's redirected to login.php.

    When login is successful, I want him to be redirected to $_SERVER['HTTP_REFERER'], which will be various pages of my application.

    I read on forum that ['HTTP_REFERER'] can be dangerous.

    But what if I create an array like ('myaccount.php','mycart.php', etc...) and compare this array to $_SERVER['HTTP_REFERER'], will this protect me against potential malicious use of this feature?


  2. #2
    Join Date
    Feb 2012
    Yes, comparing it against fixed list is perfectly safe.

    But you should not use $_SERVER['HTTP_REFERER']. Not all browsers send this information.

    Store the current URL ($_SERVER['REQUEST_URI']) in session, then direct the user to login page, then - if successful - redirect the user to the URL stored in the session.

  3. #3
    Join Date
    Jan 2012
    Thank you for your suggestion. I hadn't thought of using SESSION but this has solved the problem.


Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
HTML5 Development Center