I am working on a series of web pages and I would like to be 100% certain that users cannot jump around to any page they like by typing a URL into their browser. I have used $_SERVER['HTTP_REFERER'] to check at the top of most pages and if the referer is not what I think it should be, I redirect the user back to the beginning.
I have been reading, however, that this method may not be as reliable as I want.
The page http://php.net/manual/en/reserved.variables.server.php says, "*'HTTP_REFERER' The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.*"
Is there another way to be certain that if a user got to http://page2.php that he absolutely every time got there from http://page1.html? I know users can set their own cookies, so that won't work.
Since these pages exist on a server already and the [HTTP_REFERER] variable seems reliable, may I conclude that it is?
These pages are not comissioned by anyone; I make them by myself for myself. However, when this project is finished, I would like to be able to present it to charities and others for real-life use. I want this to be as strong and bullet-proof as any enterprise application.
Recommended Answers
Jump to PostIf it is just a set sequence, why not save the page name each time in a session variable and check that variable on entry to the next page.
All 3 Replies
If it is just a set sequence, why not save the page name each time in a session variable and check that variable on entry to the next page.
yes save the page name in session with userid as key.
eg:-if you are user then save session as
<?php
session_start();
$_SESSION['ffej2ffej'] = "page1.html";
?>
Then before opening page2 check what was last referred page i.e.,value of $_SESSION['ffeej2ffej'].
Click here for more information on SESSION from php manual;
I would say sessions, BUT, try the following:
session_start();
echo (isset($_SESSION['page'])) ? "PREV: " . $_SESSION['page'] . "<br />" : "NO PREV SET<br />";
$_SESSION['page'] = basename($_SERVER['PHP_SELF']);
echo "THIS: ". $_SESSION['page'];
And place this is 3 files called page1.php, page2.php, page3.php
See if it works.
Then navigate away from your site to something like google
Then enter the address for one of those pages again.
You may find that your page shows the last entry (PREV), even though you came from the google page.
In addition multiple tabs showing different pages of your site may complicate things too. So a new tab where you manually type in say 'page3.php' may show a PREV.
A possible solution would be to create a unique token for a session variable and the same one for the link (or button) that can be picked up by $_GET (or $_POST).
session_start();
$unique = md5(time()); // or something similar
$_SESSION['unique'] = $unique;
<a href="page2.php?token=<?php echo $unique;?>">NEXT</a>
The above does not do any testing just sets the unique token for that page.
You can test with this:
if(isset($_SESSION['unique']) && isset($_GET['token']) && $_SESSION['unique'] == $_GET['token']){
//valid
}
This would need to be tested before the setting of a new unique token. Not tested - just something off the top of my head. So, it may not work. Thinking about it - I don't know if this is secure at all. :(
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.