8 Replies Latest reply on Oct 31, 2007 3:07 AM by Newsgroup_User

    Check for referrers

    v_roma
      Hi,

      Is it possible to check where a visitor is coming from and only allow that visitor to view a page if coming from a specific domain? This domain would be outside my website. Also, I'm using CF 5.

      Thanks much!
        • 1. Re: Check for referrers
          jdeline Level 1
          CGI.HTTP_REFERER is the variable you are looking for. Note that sometimes it is not present, so you must first do <CFIF IsDefined(CGI.HTTP_REFERER)>.
          • 2. Re: Check for referrers
            Level 7
            > CGI.HTTP_REFERER is the variable you are looking for. Note that sometimes it is not present, so you must first do <CFIF IsDefined(CGI.HTTP_REFERER)>.

            That's not going to get you too far: CF always returns "YES" for
            isDefined("CGI.anythingYouLikeHere").

            You'd want to do:
            structKeyExists(CGI, "anythingYouLikeHere")

            EG:
            structKeyExists(CGI, "http_referer")

            But in the case of CGI.http_referer, it ALWAYS exists. It might just be
            blank.

            --
            Adam


            • 3. Re: Check for referrers
              Dan Bracuk Level 5
              The variable you want is cgi.http_referer, as stated by jdeline. The function you want is contains.
              • 4. Check for referrers
                v_roma Level 1
                Thank you all for the responses so far. I've been reading up on http_referer and I'm starting to think it's too unreliable (i.e., often blocked/blank) for my purposes. Is there any other way I can make sure that the users trying to access my website are only coming from a specific page? For example, in the link to my website in the "source" website, I could have a URL variable, which I would check to make sure it existed on my side before allowing the users to access the website. But that seems too flimsy since any user could look at the bottom of the screen when hovering over the link to get the url and url variable. After that, the user would no longer need to go through the first page/site but would simply have to type in the URL with the URL variable. Is there any way to mask the passing of a URL variable? Any other suggestions?

                Thanks again
                • 5. Re: Check for referrers
                  Dan Bracuk Level 5
                  Set a session variable on the page you want them to visit first and then check to see if it exists on subesequent pages.
                  • 6. Re: Check for referrers
                    Level 7
                    Dan Bracuk wrote:
                    > Set a session variable on the page you want them to visit first and then check to see if it exists on subesequent pages.

                    Accept the OP said that the page was on another domain outside the
                    website.

                    Have you checked into you web server of choice. I am familiar with both
                    Apache and IIS having the capability to restrict access to a web site
                    based on clients IP address. Not full proof, but then very little with
                    web applications is entirely fool proof.
                    • 7. Re: Check for referrers
                      v_roma Level 1
                      Dan, thanks for the suggestion. I should've mentioned this already but the first website is on a different (non-CF) server and the only thing I will have control over is probably what the link looks like. That's why I was hoping the http_referer would do the trick.
                      • 8. Re: Check for referrers
                        Level 7
                        > control over is probably what the link looks like. That's why I was hoping the
                        > http_referer would do the trick.

                        That is the only way exposed by the HTTP protocol to know the referring URL
                        for the current request.

                        Each HTTP request is - intentionally a stand-alone transaction, so it's
                        really only a "courtesy" that you even get that info.

                        --
                        Adam