I wouldn’t recommend using HTTP_REFERER:
- It’s fairly simple to manipulable in browser.
- Some users might have security settings in their browser to not send this header at all.
- It’s not accessible over
HTTPS. - Some proxies strip this header from the request
- Added – See answer to this quesion
As Charlotte Dunois stated in the comment, better set session value before sending the form and then check it on page2.
page1.php:
$_SESSION[ 'display_page2' ] = TRUE; //rest of the content
page2.php:
if ( (isset( $_SESSION[ 'display_page2' ] ) && $_SESSION[ 'display_page2' ] === TRUE ) || isset( $_POST[ 'some_form_input' ] ) ) {
//keep displaying page2.php
} else {
header('Location:page1.php');
exit;
}
With isset( $_POST[ 'some_form_input' ] ), you can check whether the form has been sent (via POST method).
When needed, you can unset the session with unset( $_SESSION[ 'display_page2' ] ); or by setting it to different value.