Why does it matter? REFERER is only an interesting value for logging and doing back-of-the-envelope flow-analysis on your overall website.
You surely can't be using it for authentication or authorization, because it's trivial to forge, and get stripped by security firewalls, and also comes back wrong or differently on different browsers, as you've noticed.
-- Randal L. Schwartz, Perl hacker
Be sure to read my standard disclaimer if this is a reply. | [reply] |
As has been stated before many times HTTP_REFERER is a silly toy that can't be trusted more than anything else that is submitted on a form. Any time you feel the need to trust the HTTP_REFERER's value you need to change your approch. It should not be used for auth, site flow (unles your output of site flow is considered as untrustworthy as HTTP_REFERER itself) or anything else you need to trust.
-Waswas | [reply] |
It's completely a matter of what the browser decides to do, because it's the browser that sends the referer header. My experience is that Mozilla bowser doesn't change the referer ehader based on redirects, though that research was limited to (I think) Mozilla.
--Bob Niederman, http://bob-n.com
| [reply] |