Passing and retrieving referer page url

Question

So I have been writing a login script which upon successful login, redirects to the previous page. I've seen a few ways to pass the referer URL:

1. Using $_SERVER['HTTP_REFERER'] - Sends in the whole referer URL. Possible to be manipulated. So not to be trusted.

2. $_GET and passing the referer as url parameter. Not secure at all.

3. Using Hidden-fields in the form. Not so secure either even with POST.

So, since method 2 allows most flexibility, I'm choosing that. The question is: If I pass the URL without the domain ('http://www.domain.com/' stripped), and later manually prepend the domain when redirecting, can I be sure that the resulting URL redirect stays within my domain? If not, what can I do to make sure it doesn't stray away?

(Assume that, if no page with the result url exist, it will be redirected to home page)

Eg: http://www.domain.com/login.php?ref=category/products/product-1.php On successful login, the page is redirected to 'http://www.domain.com/'.$_GET['ref']

What I know should be done to validate the referer url parameter:

1. '../' can help navigate to the previous folder and must be removed if any.

2. All tags passed in the referer url parameter must be stripped.

3. All '://' must be removed.

Answer 1

Few tips:

1. You don't need to provide domain in redirect at all. So don't bother with domains if you don't need to redirect to another one. Of course you must check, if some domain isn't faked in $ref
2. You can use page aliases in $ref instead of real urls and construct url before redirecting.
3. Only really secure way is checking url agains urls that really exists on your page