I wouldn’t recommend using HTTP_REFERER
:
- It’s fairly simple to manipulable in browser.
- Some users might have security settings in their browser to not send this header at all.
- It’s not accessible over
HTTPS
. - Some proxies strip this header from the request
- Added – See answer to this quesion
As Charlotte Dunois stated in the comment, better set session value before sending the form and then check it on page2.
page1.php:
$_SESSION[ 'display_page2' ] = TRUE; //rest of the content
page2.php:
if ( (isset( $_SESSION[ 'display_page2' ] ) && $_SESSION[ 'display_page2' ] === TRUE ) || isset( $_POST[ 'some_form_input' ] ) ) { //keep displaying page2.php } else { header('Location:page1.php'); exit; }
With isset( $_POST[ 'some_form_input' ] )
, you can check whether the form has been sent (via POST method).
When needed, you can unset the session with unset( $_SESSION[ 'display_page2' ] );
or by setting it to different value.