[Zope] how to capture the referring URL??

Oliver Bleutgen Oliver Bleutgen <myzope@gmx.net>
Mon, 3 Sep 2001 21:28:47 +0200


>> Don't use referring url ;-)
>> Seriously, it depends of your problem, but it may be solved by using
>> some kind of user sessions...
>>
>> If you could explain more your problem, maybe someone could find another
>> solution?

> Here is a shot at what I am working on.
> This is an "Email to a Friend" thing.
> Thanks to anyone that can get me in the right direction.  And explain why
> I
> shouldnt use HTTP_REFERER.


Using http_referer for more than statistcal reasons is 
a generally problem because of two reasons:

1. security-wise:
Never trust the client! The browser constructs the referer
information and it can send for that whatever it wants to. 
So it makes no sense to try to prevent malicious users from
doing something based on the referer header of their browser.
Sites like geocities etc. try to hinder direct linking to
binary files on their site by requiring a local (for them)
referer. This is why various download utilities allow to set
a custom referer header.

2. it may not function
Apart from security considerations, which might not be
important in your case, various proxies strip referer
information for privacy reason, so that they don't show
up in logfiles etc..

So point 2 seems more important in your case. 
But you seem to be in control of the page which link
to your "Email to friend" form. If these pages are also
in zope, you could easily pass the "referer" information
to that form, i.e. 
<a href="link_to_email_to_friend_form?url=<dtml-var URL0 url_quote>">email this page to a friend</a>

To sum up, using the referer header is not adviced for
security uses only, for others it's just not optimal, IMO.

cheers,
oliver