Categories
Programming

Issues with HTTP Referrer and Redirection

Background
You learn something new everyday, and of course I’ve learned many new things during the course of my work. One of them involves the HTTP referrer. So the HTTP referrer is the url of the page that linked to webpage. You can get the HTTP referrer by using document.referer in JavaScript. This is useful if you are conditionally handling people who come from different sites differently. For example, if I wanted to redirect people who come via Google search results to a Google page, and people who come via Yahoo search results to a Yahoo page.

Issues
The main issues with using the referer address is that its not reliable, and using document.referer, cgi.http_referer, and the browser you are using can all yield different results, especially when combined with redirection.
1) When you open up a new tab, or go to a website using a bookmark, the HTTP referer is blank.
2) When you use the back button on a browser, the HTTP referer does not catch the url of the website you were just on.
3) If you use JavaScript’s

window.location

to redirect to a page, IE 7 and 8 will not get the HTTP referer. This has to due with how Internet Explorer gets its referers, which is defined as the origin of the page. If you use IE 9 emulating IE 7/8, you will not find this issue.
4) If you use coldfusion or meta refresh

 or 

to redirect to a page, Browsers other than Google Chrome will not catch the HTTP referer.

Conclusion
As you can imagine, this was a nightmare to test, and I had to get around this, especially the IE7/8 issue, by creating a form dynamically using JS, and setting hidden input fields to the param values you want, then submit it in order for IE 7/8 to catch the proper referrer. It’s a little bit digusting, but that’s what happens when you have to make something work on all browsers (don’t get me started on IE6). In the future, a more preferred way of redirection is to have the server send an HTTP 302 error code instead which can be caught in most browsers without issue, avoiding domain specific language to do the redirection. This might be a more reliable way of getting the HTTP header and referrer too.