在 PHP 中确定 Referer
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/165975/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Determining Referer in PHP
提问by UnkwnTech
What is the most reliable and secure way to determine what page either sent, or called (via AJAX), the current page. I don't want to use the $_SERVER['HTTP_REFERER'], because of the (lack of) reliability, and I need the page being called to only come from requests originating on my site.
Edit: I am looking to verify that a script that preforms a series of actions is being called from a page on my website.
确定当前页面发送或调用(通过 AJAX)的页面的最可靠和最安全的方法是什么。$_SERVER['HTTP_REFERER']由于(缺乏)可靠性,我不想使用,并且我需要调用的页面仅来自源自我网站的请求。
编辑:我希望验证是否正在从我网站上的页面调用执行一系列操作的脚本。
采纳答案by Seldaek
The REFERER is sent by the client's browser as part of the HTTP protocol, and is therefore unreliable indeed. It might not be there, it might be forged, you just can't trust it if it's for security reasons.
REFERER 由客户端的浏览器作为 HTTP 协议的一部分发送,因此确实不可靠。它可能不存在,它可能是伪造的,如果出于安全原因,您就不能信任它。
If you want to verify if a request is coming from your site, well you can't, but you can verify the user has been to your site and/or is authenticated. Cookies are sent in AJAX requests so you can rely on that.
如果您想验证请求是否来自您的站点,那么您不能,但您可以验证用户是否已访问您的站点和/或已通过身份验证。Cookie 在 AJAX 请求中发送,因此您可以依赖它。
回答by We0
What I have found best is a CSRF token and save it in the session for links where you need to verify the referrer.
我发现最好的是 CSRF 令牌并将其保存在会话中,以便您需要验证引用者的链接。
So if you are generating a FB callback then it would look something like this:
因此,如果您要生成 FB 回调,则它看起来像这样:
$token = uniqid(mt_rand(), TRUE);
$_SESSION['token'] = $token;
$url = "http://example.com/index.php?token={$token}";
Then the index.php will look like this:
然后 index.php 将如下所示:
if(empty($_GET['token']) || $_GET['token'] !== $_SESSION['token'])
{
show_404();
}
//Continue with the rest of code
I do know of secure sites that do the equivalent of this for all their secure pages.
我确实知道安全站点对其所有安全页面都执行相同的操作。
回答by AMB
Using $_SERVER['HTTP_REFERER']
使用$_SERVER['HTTP_REFERER']
The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.
将用户代理引用到当前页面的页面地址(如果有)。这是由用户代理设置的。并不是所有的用户代理都会设置这个,有些提供修改 HTTP_REFERER 的能力作为一个特性。简而言之,它不能真正被信任。
if (!empty($_SERVER['HTTP_REFERER'])) {
header("Location: " . $_SERVER['HTTP_REFERER']);
} else {
header("Location: index.php");
}
exit;
回答by gizmo
There is no reliable way to check this. It's really under client's hand to tell you where it came from. You could imagine to use cookie or sessions informations put only on some pages of your website, but doing so your would break user experience with bookmarks.
没有可靠的方法来检查这一点。它真的在客户的手中告诉你它来自哪里。您可以想象使用仅放置在您网站的某些页面上的 cookie 或会话信息,但这样做会破坏用户对书签的体验。
回答by justnajm
We have only single option left after reading all the fake referrer problems: i.e. The page we desire to track as referrer should be kept in session, and as ajax called then checking in session if it has referrer page value and doing the action other wise no action.
在阅读了所有假推荐人问题后,我们只剩下一个选项:即我们希望作为推荐人跟踪的页面应该保留在会话中,并且作为 ajax 调用然后检查会话是否有推荐人页面值并执行其他操作行动。
While on the other hand as he request any different page then make the referrer session value to null.
另一方面,当他请求任何不同的页面时,将引用会话值设为空。
Remember that session variable is set on desire page request only.
请记住,会话变量仅在期望页面请求时设置。
