I understand. To combine the Session Id with HTTP_REFERER sound good but it didn't work too well. I'm still open to idea... :-) Fortunately, not many people know it because it is done behind the scene, so they'll have a lot more to guess about what's working behind the scene.
"Christoph Grottolo" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > [EMAIL PROTECTED] (Chris Shiflett) wrote: > > >--- Scott Fletcher <[EMAIL PROTECTED]> wrote: > >> Many PHP programmer tried to their best to use > >> HTTP_REFERER so they can keep track of which > >> webpages on the current website did the user > >> last visited. > > > >I think I see what you are referring to now. > > > >The reason that many people (myself included) discourage > >the use of REFERER for this purpose is not only because > >support is inconsistent, but also because it is not > >required that a Web client send this header. In fact, the > >only required header in the latest version of HTTP (1.1) is > >the Host header. So, it really boils down to not depending > >on something that is not guaranteed to be there. > > It even dangerous to rely on HTTP_REFERER because it's not under your > control. The client could set the HTTP headers itself (e.g. a php > script using CURL, www.php.net/curl). You should at least combine the > REFERER check with a valid session on your host or look for a > corresponding log entry or something alike. > > Christoph -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
