Disable URL change via URL bar

Can't be done. You can't control the browser like that. The closest you could come is to use javascript to pen your site in a window and remove the URL bar but that is a bad solution. It will confuse users and leave a lot of them locked out from your site completely.

Well, if you made a completely AJAX driven user interface, it would be possible. However, that also means that search engines cannot crawl your site. And you know what that means.

Well, I'm currently developing a game myself and here is what I have done to prevent this.

$root = 'yoursite.com';
//Check For Authorized Entry
if (!eregi($root, $webserver['Referer'])) {
    echo "Unauthorized Access";
    //Just forward to error page.
    } else {
//Continue Loading Page Here
}

Just put the code above in a file and include it on every page except your index page and you're good to go. If you don't want to manually include it in every page, just place an include statement in a page that you currently include on every page (i.e., security.inc).

Hope that helps.

Hi i own an online game and i wish to know weather there is a way to disable my members from changing the URL in the url bar and only allow them to click links. If they change the URL in the url bar i would like it to header/re-direct to the index.php or session_destory();

I would like my game to only be navigational by the links provided. I have over 100 scripts on my server so it would be pointless blocking each script using the referer.

Any ideas?:cheesy:

Its always better to solve problems server side than having to rely on disabling something on the browser...
It would be even better if the game scripts were written so the rule of the games apply no matter what is sent from the browser (ie: a user created url would be invalid in the game since it would break the rules of the game. But if they do put in a valid url through the address bar, then its still part of the game.. )
This is true for any server side scripting, game.. business logic.. regular website, CMS etc....

Solutions relying on teh browser will work, but will be see through for anyone who wants to cheat..

Hi,

Sorry for bringing a dead thread alive but I am trying to do the exact same thing and haven't come up with a solution. Is there a solution to this? If not, are there any good alternatives?

I think digital said all that needs to be said. Don't #*~! with the browser. You could set up a session with stores the last page / last action. In addition, I'd hash the last page info with a 'salt'.

session_start();
...
$_SESSION['last_page'] = md5('my_incredible_page' . basename($_SERVER['PHP_SELF']));

In a redirected page:

session_start();
$redirects = array('index.php','someother.php'...);//allowed senders
$confirm = $_SESSION['last_page'];
$allowed = false;
foreach($redirects as $r){
 if($confirm == md5('my_incredible_page' . $r)){
   $allowed = true;
 }
}
if($allowed === true)
 $_SESSION['last_page'] = md5('my_incredible_page' . basename($_SERVER['PHP_SELF']));
}else{
 header('Location: index.php');
}

Have to say, it's not ultrasecure. The salt could be derived from a DB value based on regular changes. It's something to play with anyway.

If you are trying to stop users from manipulating the url, you can use a csm of the url to validate it. I have been using this method for years, to prevent people from changing the id in a url to edit a record that they shouldn't be editing (I usually have 2 or 3 checks to make sure its the right person, not just the url csm though).

Here is function that I just made (it only works if you are using the $_GET superglobal though, a different function would be required for something else):

To test, just put on its own page and run. You will be able to see how it works.

function url_csm( $url,$to_html=true,$remove_csm=false ) {
	$url = trim( $url,'/' );
	$md5 = md5( $url . SALT );
	$vars = array();
	if ( ( $pos = strpos( $url,'?' ) ) !== false ) {
		$data = substr( $url,( $pos + 1 ) );
		$url = substr( $url,0,$pos );
		$data = explode( '&',$data );
		foreach( $data as $datum ) {
			list( $key,$val ) = explode( '=',$datum,2 );
			$vars[$key] = $val;
		}
	}
	if ( isset( $vars['csm'] ) && $remove_csm == true ) {
		unset( $vars['csm'] );
	}
	else {
		$vars['csm'] = $md5;
	}
	$query_string = array();
	foreach( $vars as $key => $val ) {
		$query_string[] = "{$key}={$val}";
	}
	return ( $remove_csm == false ? 'http://' . $_SERVER['SERVER_NAME'] . '/' : '' ) . $url . ( count( $query_string ) > 0 ? '?' . implode( ( $to_html == true ? '&' : '&' ),$query_string ) : '' );
}
function url_csm_valid() {
	if ( !isset( $_GET['csm'] ) || md5( url_csm( $_SERVER['REQUEST_URI'],false,true ) . SALT ) !== $_GET['csm'] ) {
		return false;
	}
	return true;
}

define('SALT','large random string here');

if ( !isset( $_GET['csm'] ) ) {
	echo '<a href="' . url_csm( $_SERVER['PHP_SELF'] . '?testing=test' ) . '">Click here</a><br />';
}
else {
	echo '<p>Now trying changing the key or value of the test var in the url</p>';
	echo 'Checksum Valid = ' . ( url_csm_valid() == true ? 'Yes' : 'No' );
}

exit;

I think that is what you were trying to accomplish but I might be wrong.

Hi I think you can try to use mod_rewrite in .htaccess to manipulate the url and redirect to index.php if the URL change in the address bar.

url masking can also play the trick.