DaniWeb Forum Index > Web Development > PHP

Limiting Access to webpage only by link

Please support our PHP advertiser: PostgreSQL or MySQL? Compare and contrast the two most popular open source databases

•

Join Date: Nov 2008

Posts: 42

Reputation: squarkman is an unknown quantity at this point

Solved Threads: 0

squarkman

Offline

Light Poster

Limiting Access to webpage only by link

Dec 13th, 2008

Hi,

This is a tough one!

Is there a way to prevent someone from typing in a url to get to a page YET that page IS accessible from a LINK on some other webpage.

Thx

•

Join Date: Apr 2007

Posts: 437

Reputation: Fungus1487 is on a distinguished road

Solved Threads: 50

Fungus1487 Fungus1487 is offline

Offline

Posting Pro in Training

Re: Limiting Access to webpage only by link

Dec 13th, 2008

depends how far you want to take this.

For example you can easily append a unique ID for all sites you wish to link to this page e.g.

http://www.mysite/yourpage.com?token=123

you would then perform a check to see if the "token" variable equals 123.

This can be easily manipulated by somebody even with a very minimal knowledge in computing.

Another option could be to obtain a list of all sites and pages that you wish to allow links to your site and then on load of your page check the $HTTP_REFERER; variable (this contains the last page the user was refered from) if this is in your list then allow them to see the page. This has alot of downfalls as for example if someone navigates within your page you will get a refferer of your own page so would need some cookie or session handling setup to identify people. Also some browsers dont send the refering data.

If javascript is not a problem on the pages you will be linking from. You could use a <FORM> which generates and stores a token in a hidden field which you could then pass through to your page and pickup/ validate against it. Again this isnt fully secure and through a link alone you will have a tough time validating incoming users.

Perhaps something like an alternating security token will do the trick but im guessing youll want it to be alot more secure.

When Autumn Falls [ http://www.whenautumnfalls.co.uk ] &&
Designdotworks [ http://www.designdotworks.co.uk ] Web / Graphic / Software Design

•

Join Date: Nov 2008

Posts: 42

Reputation: squarkman is an unknown quantity at this point

Solved Threads: 0

squarkman

Offline

Light Poster

Re: Limiting Access to webpage only by link

Dec 13th, 2008

In your first solution, could I not simply type in
http://www.mysite/yourpage.com and get to the page?

•

Join Date: Dec 2008

Posts: 94

Reputation: sikka_varun is an unknown quantity at this point

Solved Threads: 11

sikka_varun sikka_varun is offline

Offline

Junior Poster in Training

Re: Limiting Access to webpage only by link

Dec 14th, 2008

Perhaps you can use some other token like the phpsessid from the php sessions to make your links more secured..
for eg.
http://mysite.com/yourpages.php?phpsessid=Aw2jdj3ddk39

You can generate this phpsessid on the very first page of your site... i.e. your index.php page... and then use it on every page..

On the top of the page, you can check for this value... store it in session or in database.. and check its value on every page top...

VâRûN
---Happy to Help---
sikka_varun@yahoo.com

•

Join Date: Nov 2008

Posts: 24

Reputation: xarz is an unknown quantity at this point

Solved Threads: 1

xarz

Offline

Newbie Poster

Re: Limiting Access to webpage only by link

Dec 14th, 2008

the easiest way to do that, by having the following code:

 Help with Code Tags 
 php Syntax (Toggle Plain Text) 
$linkback=$_SERVER['HTTP_REFERER'];
$trusted_links=array("http://www.daniweb.com", "http://www.daniweb.com");
$found=0;
while($trusted_links){
     if($linkback==$trusted_links){
        $found=1;
        break;
     }
}
 
if($found==0)
    die("You cannot access this page");
else
    echo"Welcome!";
$linkback=$_SERVER['HTTP_REFERER'];
$trusted_links=array("http://www.daniweb.com", "http://www.daniweb.com");
$found=0;
while($trusted_links){
     if($linkback==$trusted_links){
        $found=1;
        break;
     }
}

if($found==0)
    die("You cannot access this page");
else
    echo"Welcome!";

i think the code is basic enough and simple to understand.

by the way, according to PHP $_server manual, 'HTTP_REFERER' is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.

Last edited by xarz; Dec 14th, 2008 at 10:28 am. Reason: caution added

:: xarz ::

•

Join Date: Apr 2007

Posts: 437

Reputation: Fungus1487 is on a distinguished road

Solved Threads: 50

Fungus1487 Fungus1487 is offline

Offline

Posting Pro in Training

Re: Limiting Access to webpage only by link

Dec 15th, 2008

•

Originally Posted by squarkman

In your first solution, could I not simply type in
http://www.mysite/yourpage.com and get to the page?

yes you would be able to locate the page but then its entirely up to your php to determine whether the incoming request should be allowed.

You could change the headers to "404" if you want a page not found error in a users browser that isnt validated

The session example abov would work but the site linking to this page would have to be on the same server for the session to take effect. I believe he was asking for a way to redirect from an external site to this page whilst authenticating.

When Autumn Falls [ http://www.whenautumnfalls.co.uk ] &&
Designdotworks [ http://www.designdotworks.co.uk ] Web / Graphic / Software Design