9

I have written a PHP script that I would like to use on several domains on the same server (pointing to same script). I want to add functionality to the script so I can find out which domain the script is working with at any time. HTTP_HOST can be used to find the domain ,however, I have read that its not reliable especially with older browsers. My understanding is most Apache servers use virtual hosts which uses the same method anyway so if its not a problem with hosting providers it shouldn't be an issue with my code.

Can any one please verify this and clear the confusion ?

5 Answers5

10

HTTP_HOST is for the Host: header sent by HTTP 1.1 user-agents during the request. This is not used by HTTP 1.0 clients, so it won't appear then. However, nowadays, I don't think there are still many HTTP 1.0 clients.

Bruno
  • 119,590
  • 31
  • 270
  • 376
  • And even most HTTP 1.0 clients have extended into using this field now - only the old, not-updated HTTP 1.0 don't supply it. – Konerak Nov 04 '10 at 11:55
  • 2
    @Pekka not a big deal. Such imaginary client won't get to the most of sites (named virtual host based ones), so, it's just impracticable. – Your Common Sense Nov 04 '10 at 12:12
  • 2
    @Col yeah, that was what I was wondering: How can such a client request a resource from a multi-vhost server at all? That must be *really* old. Anyway, it answers the question – Pekka Nov 04 '10 at 12:13
9

Edit: I stand corrected: The HOST header is not present in HTTP 1.0 requests. See @Bruno's answer. Leaving mine in place because of the security considerations

The only issues with HTTP_HOST that I'm aware of are security issues, not compatibility ones.

The security issues stem from the fact that HTTP_HOST is sent by the user. If the web server is incorrectly set up and/or buggy, arbitrary HTTP_HOST values could make it to your site/script (see e.g. here for detailed discussion). Your application needs to be prepared for that.

It's good never to trust HTTP_HOST (e.g. it can be a good idea to set up an array of allowed values for it before processing it in your PHP script):

<?php
  $allowed_hosts = array("domain1.com", "domain2.com", "domain3.com");

  if (!in_array(strtolower($_SERVER["HTTP_HOST"]), $allowed_hosts))
   die ("Unknown host name ". $_SERVER["HTTP_HOST"]);
Community
  • 1
  • 1
Pekka
  • 442,112
  • 142
  • 972
  • 1,088
  • 1
    +1 for your answer too, although it's not about older browser compatibility, it's definitely on topic for "How reliable is HTTP_HOST?" – Bruno Nov 04 '10 at 11:44
  • @Pekka Thats what i intend to do. This also brings in another question thats on my mind would it be better to allow Apache to resolve this and use HTTP_SERVER the server alias instead. The only issue I have with this is making the host.conf dynamic. –  Nov 04 '10 at 12:59
  • @andicrook that would work, but you'd have to set up a vhost for every conceivable domain name. But seeing as you'll need to introduce all domain names into httpd.conf anyway.... – Pekka Nov 04 '10 at 13:14
  • I should be able to set virtual hosting to be dynamic or use CNAMES –  Nov 04 '10 at 13:55
  • @andi I must correct myself, I'm pretty sure that *is* possible using wildcards. Serverfault.com may have better answers on that specific issue – Pekka Nov 04 '10 at 13:56
  • @Pekka yes, you can use them with ServerAlias –  Nov 04 '10 at 13:59
1

Pekka's answer seems more interesting, but it seems that you want to know which browsers support http 1.1 and which dont. Found this on google: http://www.1-script.com/forums/Browser-Support-for-HTTP-1-1-article34982--8.htm

A note, from that thread: "a HTTP 1.0 browser cannot get to the non-default virtual host." That means that a browser that dont support http 1.1 cannot reach any website on a shared server as far as i know. Thare are LOTS of websites on shared hosts. Also subdomains might(no sure though) be "detected' in the same way, by using the HTTP_HOST var.

After reading these, i dont really think anyone uses a browser that old nowdays, it would be impossible for them to actually navigate the web:)

Quamis
  • 10,924
  • 12
  • 50
  • 66
  • mind you, there are still a lot of mobile phones out there that use HTTP/1.0 – bcosca Nov 04 '10 at 12:31
  • do you have one? I'm curios if they cannot actually access subdomains. – Quamis Nov 04 '10 at 13:03
  • Yes Apache uses HTTP_HOST for most virtual hosts, if its IP based hosting then it can use DNS reverse lookup which would create overhead anyway –  Nov 04 '10 at 14:12
0

This is what I answered in a similar question :

Looking into this myself for other purposes:

"HTTP/1.0 is in use by proxies, some mobile clients, and IE when configured to use a proxy. So 1.0 appears to still account for a non- trivial % of traffic on the web overall. ... Yes, there are many 1.0 clients still out there."

Source (July 2009): http://groups.google.com/group/erlang-programming/msg/08f6b72d5156ef74

:-(

I am personally getting quite a few HTTP/1.0 requests on my sites with a missing HTTP_HOST :-(

Community
  • 1
  • 1
Rafa
  • 1,397
  • 15
  • 21
0

This is an old post I stumble onto and the solution I gave is this:

I created a JSON file (my code makes extensive use of these which I call tokens) to become the single source of truth and to be open at the same time for modifications from who knows what new things will emerge in a application/framework:

// accounttoken.json
{
    "site": {
        "email": "admin@email.com",
        "password": "Bty1!",
        "firstname": "John",
        "secondname": "Doe",
        "country": "USA",
        "username": "Admin",
        "role": "admin",
        "protocol": "http://",
        "domain": "a9623c7ca853.eu.ngrok.io",
        "site_key": "fgRt4%$x!0($DqJi",
        "language": "en"
    },
    "google": {
        "client_id": "51965.apps.googleusercontent.com",
        "client_secret": "8Kz"
    },
    "db_mysql": {
        "db_port": 3306,
        "db_user": "<user>"
    },
// more entries here...
}

Now, all you have to do is to consult your entries in one file:

// find php executable
cent$ whereis php
php: /usr/bin/php7.0 /usr/bin/php /usr/lib/php /etc/php /usr/include/php ...

// start interactive shell
cent$ /usr/bin/php7.0 -a

php > $json = file_get_contents('accounttoken.json');
php > $json = json_decode($json, true);
php > echo('Your domain is: ' . $json['site']['domain']);
php > echo('The site url is: ' . $json['site']['protocol'] . $json['site']['domain']);
php > quit
centurian
  • 1,168
  • 13
  • 25
  • already proved correct: `cookie.domain` in another json file should be set to `localhost` while `site.domain` at this file should be set like in my example when redirecting localhost to ngrok server and test authentication! – centurian Jun 30 '20 at 14:57