Determining Referer in PHP
Using $_SERVER['HTTP_REFERER']
The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.
if (!empty($_SERVER['HTTP_REFERER'])) {
header("Location: " . $_SERVER['HTTP_REFERER']);
} else {
header("Location: index.php");
}
exit;
What I have found best is a CSRF token and save it in the session for links where you need to verify the referrer.
So if you are generating a FB callback then it would look something like this:
$token = uniqid(mt_rand(), TRUE);
$_SESSION['token'] = $token;
$url = "http://example.com/index.php?token={$token}";
Then the index.php will look like this:
if(empty($_GET['token']) || $_GET['token'] !== $_SESSION['token'])
{
show_404();
}
//Continue with the rest of code
I do know of secure sites that do the equivalent of this for all their secure pages.
The REFERER is sent by the client's browser as part of the HTTP protocol, and is therefore unreliable indeed. It might not be there, it might be forged, you just can't trust it if it's for security reasons.
If you want to verify if a request is coming from your site, well you can't, but you can verify the user has been to your site and/or is authenticated. Cookies are sent in AJAX requests so you can rely on that.