$_SERVER['HTTP_REFERER'] shows current page

I have a tracking script that I use to save analytic data to our company database. We have quite a few websites (around 2000 domains) and PPC campaigns and the script I'm using works just fine.

I know that the $_SERVER['HTTP_REFERER'] is not 100% reliable and can be either empty or spoofed, whatever, that is a small minority of the leads we have coming in (I take this into account in my tracking script).

The problem is that although my $_SERVER['HTTP_REFERER'] var always comes back empty if I echo it out on the affected page, it is passed to the tracking script (via a $_SESSION var) as the current page URL. It's as if (note the 'as if', I know this is not the case) PHP is substituting $_SERVER['REQUEST_URI'] for $_SERVER['HTTP_REFERER']. This is from the landing page:

$_SESSION['keywords'] = $_SERVER['HTTP_REFERER'];
require_once 'tracking.php';
$raw_query = $_SESSION['keywords'];
 $key_browser = getKeywords($raw_query);
 $keywords = $key_browser['keywords'];
 $referer = $key_browser['referer'];
 $user_agent = getBrow开发者_开发百科serOs($_SERVER['HTTP_USER_AGENT']);
 $br = $user_agent['browser'];
 $os = $user_agent['os'];

The tracking script is inconsequential because the variables I pass it are not altered.

if you load your script with HTML tag like <script src="mytracking.php"></script>, referer will be the same as request_uri because request_uri is the one that requests the script.

The only script that gets the referer from which user came if link is clicked is the script that responds to the request from the browser. All resources, loaded via HTML tags will have the current page as referer. Which, by the way, is often used as a protection against hot-linking of images and other resources.

Well I've found no proper solution so I've opted to use a hidden field whose value is populated with javascript's document.referrer property and simply passed that to the tracking script. Definitely works although I'm not too pleased that I couldn't find a better solution.