1

I'm trying to work out how to establish whether or not a visitor to a site I built has come from Google or not. The client is running an Adwords campaign and Google has objected to the fact that the user is redirected when they arrive at the site, so I need to add an exception for this.

It has to be handled by PHP rather than the Analytics JS because the module which handles the redirects executes before any output is even sent to the browser, and it is easy to add in an exception as there are already exceptions for API calls. In the past I'd have just used HTTP_REFERER for this but my understanding is that since Google has started using https for logged in users and plain old http for non-logged in ones, the headers and HTTP_REFERER are not available for a chunk of the inbound traffic from Google.

This Q&A -> Get Original Referrer URL from Google Search with PHP? suggests that only the query becomes unavailable. But this one -> In what cases will HTTP_REFERER be empty , with a lot more upvotes, suggests that HTTP_REFERER will be empty.

However my own tests on my own site when logged in to Google and when Googling incognito suggest that HTTP_REFERER and the querystring are available regardless of the protocol Google is using. So I can Google 'McNab Magento Contact' and click on the link for www.mcnab.co/contact/‎ and the whole shebang is available at the bottom of the page. I've left it up there to demonstrate;

enter image description here

Question

I am completely confused by this. If I can't reliably use HTTP_REFERER to establish whether the user has arrived from Google, how should I be handling this?

Community
  • 1
  • 1
McNab
  • 6,767
  • 4
  • 35
  • 55
  • 6
    _“Should I be able to reliably use HTTP_REFERER [for purpose X]”_ – no, of course not, never – no matter what “X” actually might be. – CBroe Nov 07 '13 at 10:10
  • @CBroe - OK, maybe I've asked the question badly then, I will rephrase it! – McNab Nov 07 '13 at 10:14
  • @rid - Ah, thank you. So that explains the focus on CBroe's comment. There's no security issue with it, if someone wants to spoof it they are welcome to. I didn't mean 'reliable' as in 100% bullet proof, secure, and perfect. I just meant 'it's an acceptable workable solution given the caveats' kind of reliable. :) – McNab Nov 07 '13 at 10:24
  • Unless I'm missing something, `HTTP_REFERER` is a browser feature. There's no server-side technique to prevent the browser from sending it (or force it to send it). Cases described in [the question you link](http://stackoverflow.com/questions/6880659/in-what-cases-will-http-referer-be-empty) should apply, though I'm not fully sure that all browsers stop sending it when you switch from HTTPS to HTTP. – Álvaro González Nov 07 '13 at 10:26
  • As people have mentioned, yes, you can spoof HTTP_REFERER - But, in reality, this isn't really a huge issue, if you take into account the quirks. - However, if Google don't like you redirecting the user, would it be worth considering a different way of handling the landing pages so that doesn't happen? – OddEssay Nov 07 '13 at 10:31
  • @ÁlvaroG.Vicario - Right I am learning. You are correct, browsers are behaving slightly differently. I was testing in Chrome and Firefox doesn't show https even when coming from Google as https, it just shows http. Thanks for the comment. – McNab Nov 07 '13 at 10:37
  • @OddEssay - Yes, it's a good question you ask. Unfortunately it's a Magento multi store with a map of the USA and store switcher which takes user to different state-specific stores which each have their own catalogue. Too much work to redo that I think, I might just see how things go using HTTP_REFERER and play it by ear. Thanks! – McNab Nov 07 '13 at 10:39

0 Answers0