Identifying Clients and Servers

When an HTTP transaction occurs, both the client and server involved can identify themselves. Like most identification on the Internet, this is both optional and easy to fake. Identification occurs from the client side by sending a User-agent header that identifies the type of client connecting to the server. Correspondingly, the server sends a Server header to the client.

Even though the client and server identification is optional and can be faked, you will find this identification quite usefulparticularly in the case of the User-agent. The User-agent header allows customized content for different clients. This allows everything from working around bugs in different browsers to enabling more advanced features in particular browsers.

Although the User-agent header is normally sent from browsers to servers, the Server header, at least some of the time, is not sent during the HTTP transaction. This is a security precaution because hiding the server's specific characteristics prevents security exploits tied to a specific server type.

Several sample User-agent strings are shown next:

• Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)

• Mozilla/4.0 (compatible; MSIE 5.5; Windows 95)

• Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; .NET CLR 1.1.4322)

• Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-us) AppleWebKit/85.7 (KHTML, like Gecko) Safari/85

When you are programming PHP, you are generally interested in identifying the User-agent, not the Server (because your program already runs on the server). The standard PHP $_SERVER variable contains the User-agent. You can access it as follows:

$user_agent = $_SERVER['HTTP_USER_AGENT'] ;