3

I am interested in logging from where a user comes in order to access my web app.

I thought of using HTTP's referrer header for that, but from e.g.HTTP referrer wiki
it seems that this is not a accurate/reliable way since in many cases it is not send.

I was wondering is the referrer header the only way? Is there a better/standard approach?

Cratylus
  • 52,998
  • 69
  • 209
  • 339

4 Answers4

3

Reliable way would be to have ?ref=somehash a GET parameter

For example:

Consider this site SO, they have list of questions, now there is a portlet which streams the recent questions to some other site for example abcd.com now to see if user clicked the link from abcd.com you pass a parameter ?ref=423jahjaghr where this string maps to abcd.com

jmj
  • 237,923
  • 42
  • 401
  • 438
  • any string that uniquely identifies the source, for example if you give link to some other site in portlet or something then set the hash for that reference – jmj Feb 02 '12 at 06:36
  • I should use a hash(instead of a full url) so as to keep the characters in the url at minimum? – Cratylus Feb 02 '12 at 06:38
  • 1
    Note that request parameters are also fully controllable/editable by the enduser. It's more reliable than the referrer but not bullet proof :) – BalusC Feb 02 '12 at 13:18
  • @BalusC thats why I said hash so most of the user are filtered out – jmj Feb 02 '12 at 13:35
1

Referrer header isn't the only way, but it is the most standard.

You can consider using Google Analytics, which has extra referrer capabilities, but you'd have to manually setup collecting the data from their services to input into your logging infrastructure.

Nothing is going to be 100% fool proof though. It's pretty straight-foward to block Google Analytics, and spoof referrers, and HTML5 will make it even easier to prevent sending referrer information.

If it's mission critical that you know the referrer of all inbound traffic, you'll have come up with a more draconian approach (like @Jigar Joshi has suggested)

Alan
  • 45,915
  • 17
  • 113
  • 134
0

Depending on the browser, you may OR may not get the referrer header. You may not get it always. You have to have a request parameter OR a form field to get the referrer.

Ravindra Gullapalli
  • 9,049
  • 3
  • 48
  • 70
0

HTTP Referer is a good way to analyze logs. And to maintain analytics on user interactions. However a browser or any other system which displays webpages and is able to traverse a webpage might not send this header entry.

You might also consider to use a third-party application like Google Analytics. But you should check if this third-party tool is legal in your country. Most of them have data-privacy issues.

Very important note: for analytics it's OK if you have a certain error in the expected outcome. However never do any security related checks on the http referer. Someone might enter whatever they want as the referer.

halfer
  • 19,824
  • 17
  • 99
  • 186
fyr
  • 20,227
  • 7
  • 37
  • 53