Re: HTTP REFERER not set in Internet Explorer

Saqib,

You should not use HTTP_REFERER. Opera and other browsers allow a user 
to shut it off entirely. That is a "tainted" variable that is user 
supplied and is not verifiable from the server end and thus should not 
be used to enhance security. If all you want to do is track the user, 
there are much simpler ways to do that. If you are trying to verify and 
force a certain path through your environment, you have a lot more work 
to do and we have a whole new conversation.

Hope this helps.

George

Saqib Ali wrote:

> Hello,
>
> I am writing a secure application that tracks users on a website by
> use of HTTP_REFERER. But see like Internet Explorer is not properly
> populating this field.
>
> Visit the following website using IE and Firefox.
> http://www.xml-dev.com/blog/referer_test.php
>
> And click on the Link that says "Click Here"
>
> With Firefox, the correct HTTP_REFERER will be displayed after you
> click the link. But with I.E. the HTTP_REFERER is set to blank.
>
> Has anyone ran into this issue? How did you make your application
> compatible with both I.E and Mozilla based browsers?
>
> Because of some security concerns I need the HTTP_REFERER to be set
> correctly. If it is not possible, I will have to restrict my users to
> a Mozilla based browser.
>
> --
> In Peace,
> Saqib Ali
> http://www.xml-dev.com/blog/
> Consensus is good, but informed dictatorship is better.
>