php header('Location: http://example.com') does not pass the referrer

Question

Problem:

While redirecting user from http://sample.com to http://example.com via header('Location: http://example.com') - $_SERVER['HTTP_REFERER']; is empty.

Even after setting referer via header('Referer: http://sample.com') and then redirecting via header('Location: http://example.com') - $_SERVER['HTTP_REFERER']; is still empty.

Expected outcome:

http://example.com receives $_SERVER['HTTP_REFERER'] with appropriate referrer on redirection via header('Location: http://example.com')

Use case

• User receives unique invite link via email pointing to http://sample.com
• User clicks link and is redirected to http://sample.com/?i=123456
• http://sample.com validate invite and if it's still valid(i.e. unused) redirects user to http://example.com/?i=123456
• http://example.com does not have ability to validate invitation, thus it's important to know if user was redirected from the right source

Other:

• behavior is correct if user cliks a link on http://sample.com
• behavior is correct if user is redirected via javascript `window.location="http://example.com"
• $_GET is not an option as it can be very easily forged since http://example.com can't validate invitation

Answer 1

From PHP Doc Server Variables:

'HTTP_REFERER' The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.

You might be better off setting the current url in a Cookie or Session and using that.