If I recall from reading the Mouse book a couple years ago, many of the CGI environment variables such as http_referrer are dependant on the client's browser communicating the necessary information, and any firewalls or anonymizing utilities between the server and the client not stripping away such info. What all those 'ifs' boil down to is that you cannot rely on getting anything meaningful 100% of the time from http_referer.
One solution would be to use cookies (which are also browser dependant). Another would be to use hashed session ID's passed via the URL to maintain session identity. And there are lots of other session management tools as well. http_referer really isn't intended to be used for session management.
If you want a good crash course in CGI and session management, I like the second edition of the Mouse book published by O'Reilly: CGI Programming with Perl. And as for session tools, there is the CGI::Session module on CPAN.
An update to add some trivia:
I was looking into why my spell checker told me that the word is "referrer" and yet the protocol is "referer". Googling turned up the following Wikipedia entry: Referer. In addition to explaining the spelling discrepancy, it also goes on to confirm my suggestion, that http_referer is not a reliable source of information.
|