0

Suppose a website xyz.com sends a visitor to my web page domain.com/test.php?id=1 and for security reasons, I've added some PHP sessions in test.php and redirect the visitor to domain.com/process.php.

Now I want to redirect the visitor from process.php to a website say example.com.

The problem here is xyz.com can send visitors from iframe or img tag as below:

<img src="http://domain.com/test.php?id=1" height="0" width="0" alt=""/>

which will also be counted as a valid visitor as all the codes will run in test.php as well as process.php but the visitor will not be redirected to example.com

To prevent this I thought to check if the visitor is referred to process.php from test.php of domain.com or from xyz.com.

Code I use to check the referrer domain in process.php:

<?php
$ref = parse_url($_SERVER['HTTP_REFERER'], PHP_URL_HOST);
if($ref != "domain.com"){
echo "Bad Referral";
exit;
}
else {
header("Location: http://example.com");
}
?>

Now the problem here is, the above code gives referrer domain to xyz.com only. How can I get the latest referrer domain?

The target here is to redirect the visitor successfully to example.com and not be cheated from fake redirects from img or iframe tags. Any other method will also be appreciated. Only PHP codes required. No JavaScript.

EZ SERVICES
  • 113
  • 2
  • 16
  • Both route are through test.php -> process.php, so it is not important whether the browsers take the latest URL as referer or not. (BTW they don't do that: http://stackoverflow.com/questions/2158283/will-a-302-redirect-maintain-the-referer-string ) I suggest to make difference between the two routes with a parameter. For example: http://domain.com/test.php?redirect=0 – Crouching Kitten Jan 06 '17 at 21:01
  • Both pages have parameters. – EZ SERVICES Jan 07 '17 at 03:29

0 Answers0