I have a simple tracking pixel, used for verifying user accounts:
<?php
header('Content-Type: image/gif');
readfile('trackingpixel.gif');
if(isset($_GET['a'])){
... stuff
}
if(isset($_GET['b'])){
... stuff
}
if(isset($_GET['c'])){
... stuff
}
$requesting = $_SERVER['HTTP_REFERER'];
... If requesting matches value stored in db, and a/b/c are all good, do stuff
?>
which is accessed via:
<img src="http://thisismydomain.com/trackingpixel.php?a=...&b=...&c=..." />
And it usually works, as expected.
The idea is that some users have their own domains, and want to "Claim" them, and verify that they are the true owners. We have other options for verification (i.e. META tags), but this is the simplest, for the most basic users - just copy and paste the transparent image, and Bob's your auntie.
The only $_SERVER variable that contains the requesting domain is HTTP_REFERER, but even the simplest Google search will return lots of articles discussing the unreliability, and easy-spoofability, of the value.
Directly from PHP.NET
'HTTP_REFERER'
The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.
And there are myriad SO posts discussing the same.
As it stands, a semi-competent computer monkey could spoof their incorrect domain to display as the correct one, and then put the <img> on their page. My PHP script would think everything was honkey-dory, and pass all conditions.
No bueno! Pas bien!
Is there an alternative to HTTP_REFERER, that I can use to verify the requesting domain? Something that is safe, and preferably required?