This is a tough one!

Is there a way to prevent someone from typing in a url to get to a page YET that page IS accessible from a LINK on some other webpage.


depends how far you want to take this.

For example you can easily append a unique ID for all sites you wish to link to this page e.g.


you would then perform a check to see if the "token" variable equals 123.

This can be easily manipulated by somebody even with a very minimal knowledge in computing.

Another option could be to obtain a list of all sites and pages that you wish to allow links to your site and then on load of your page check the $HTTP_REFERER; variable (this contains the last page the user was refered from) if this is in your list then allow them to see the page. This has alot of downfalls as for example if someone navigates within your page you will get a refferer of your own page so would need some cookie or session handling setup to identify people. Also some browsers dont send the refering data.

If javascript is not a problem on the pages you will be linking from. You could use a <FORM> which generates and stores a token in a hidden field which you could then pass through to your page and pickup/ validate against it. Again this isnt fully secure and through a link alone you will have a tough time validating incoming users.

Perhaps something like an alternating security token will do the trick but im guessing youll want it to be alot more secure.

Perhaps you can use some other token like the phpsessid from the php sessions to make your links more secured..
for eg.

You can generate this phpsessid on the very first page of your site... i.e. your index.php page... and then use it on every page..

On the top of the page, you can check for this value... store it in session or in database.. and check its value on every page top...

the easiest way to do that, by having the following code:

$trusted_links=array("http://www.daniweb.com", "http://www.daniweb.com");

    die("You cannot access this page");

i think the code is basic enough and simple to understand. :)

by the way, according to PHP $_server manual, 'HTTP_REFERER' is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.

In your first solution, could I not simply type in
http://www.mysite/yourpage.com and get to the page?

yes you would be able to locate the page but then its entirely up to your php to determine whether the incoming request should be allowed.

You could change the headers to "404" if you want a page not found error in a users browser that isnt validated

The session example abov would work but the site linking to this page would have to be on the same server for the session to take effect. I believe he was asking for a way to redirect from an external site to this page whilst authenticating.