Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Page 1 of 2 12 LastLast
Results 1 to 15 of 17
  1. #1
    Regular Coder
    Join Date
    Jan 2003
    Location
    West Virginia
    Posts
    110
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Question Deny access to page from external links

    I'm trying to learn a little php by modifying a script from one of the free archives. Regrettably, I'm not getting it (after a couple hours of frustration ), so am turning to the experts for guidance.

    What I'd like to accomplish is this: If a person tries to link to a specific page via an external URL, they will get an alert which denies them access and redirects them to another page. Below is what I have tried (with no success) ... if anyone can advise me of the correct way to handle this, I'd be grateful:

    Code:
    <?php 
    $Referer = getenv("HTTP_REFERER");
    if (!strchr($Referer, "DOMAIN-NAME.com")) 
    {
    echo 
    ?> 
      
    <!-- page content starts here -->
         <HTML>
         <HEAD>
    	 <title>Correct Page</title>
         </HEAD>
         <BODY>
    	 <p>This is the correct page.
         </BODY>
         </HTML>
    <!-- page content ends here -->
    	
    <?php 
    }
    else
    { 
    echo "<script>alert('This page is not available for external linking -- you will now be returned to our home page.');window.location='http://www.DOMAIN-NAME.com';</script>"; 
    exit(); 
    } 
    ?>
    Reno CF

  • #2
    New Coder
    Join Date
    Jun 2005
    Posts
    35
    Thanks
    0
    Thanked 0 Times in 0 Posts
    http://us4.php.net/manual/en/reserve...iables.request
    'HTTP_REFERER'

    The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.
    If you're on an Apache server, I would consider having one main index page, which depending on the supplied get param will php include the corresponding page. Those pages can then be placed in a sub directory with an .htaccess file that has
    Code:
    <Files *.php>
    Order Deny,Allow
    Deny from all
    </Files>
    An in your main index file, although there are various techniques, some more search engine friendly than others, they all rely on $_GET.

    So index.php could be

    PHP Code:
    <?php

    switch($_GET['page']) {

        case 
    'about_us':
        
            include(
    'pages/about_us.php');
            
            break;
        
        default:
        
            include(
    'pages/index.php');
        
            break;

    }

    ?>
    But this means all your links will need to specify the page get param, ie.

    <a href="index.php?page=about_us">About Us</a>

    Edit:
    Still be subject to the HTTP_REFER though (on index.php)... one workaorund might be to set a session var and test to see if that exists prior to displaying the page, but sessions shouldn't be used unless really neccessary..

    index.php
    Code:
    <html>
    <head>
    <title>Main</title>
    </head>
    <body>
      <a href="page2.php">page 2</a>
    </body>
    </html>
    page2.php
    PHP Code:
    <?php

    $referer 
    $_SERVER['HTTP_REFERER'];

    $domain 'www.domain.com';

    if (
    strpos($referer,$domain)) {

    ?>

    <!-- page content starts here -->
         <HTML>
         <HEAD>
       <title>Correct Page</title>
         </HEAD>
         <BODY>
       <p>This is the correct page.
         </BODY>
         </HTML>
    <!-- page content ends here -->

    <?php

    } else {
      echo 
    "<script>alert('This page is not available for external linking -- you will now be returned to our home page.');window.location='http://$domain';</script>";
      exit();
    }
    ?>
    Last edited by devosc; 06-05-2005 at 01:09 AM.

  • #3
    Regular Coder
    Join Date
    Jan 2003
    Location
    West Virginia
    Posts
    110
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Thanks very much devosc for your detailed explanation. I have a quick question -- if I want the script to refer to multiple pages, would I use something like this:
    Code:
     case 'about_us': 
         
            include('pages/about_us.php'); 
             
            break;
    
     case 'contact_us: 
         
            include('pages/contact_us.php'); 
             
            break;
    
     case 'faq': 
         
            include('pages/faq.php'); 
             
            break;
    etc.........
    Reno CF

  • #4
    New Coder
    Join Date
    Jun 2005
    Posts
    35
    Thanks
    0
    Thanked 0 Times in 0 Posts
    yeah the above would be ok... later on you may then want to automatically resolve the page name to automatically include, rather than having to update the switch statement... lets leave that for another day

  • #5
    Regular Coder
    Join Date
    Jan 2003
    Location
    West Virginia
    Posts
    110
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Thank you devosc. I just tested about_us, contact_us, and faq, and they all work fine using your php format. But somehow my server does not like the .htaccess. I have tried a number of different configs in the subfolder where it resides, but it is not functioning correctly. For example none of these will work except the very last one:
    Code:
    <Files *.php>
    Order Allow,Deny
    Deny from all
    Allow from .domainname.com
    </Files>
    
    <Files *.php>
    Order Allow,Deny
    Allow from .domainname.com
    Deny from all
    </Files>
    
    <Files *.php>
    Order Deny,Allow
    Allow from .domainname.com
    Deny from all
    </Files>
    
    <Files *.php>
    Order Deny,Allow
    Deny from all
    Allow from .domainname.com
    </Files>
    
    <Files *.php>
    Order Allow,Deny
    Allow from all
    </Files>
    As soon as I put anything whatsoever with "Deny from", I get a Forbidden page, even from links within the same url. Not sure what that's about -- will have to mess with it some more in the morning....
    Reno CF

  • #6
    Regular Coder
    Join Date
    Aug 2004
    Location
    The US of A
    Posts
    767
    Thanks
    1
    Thanked 0 Times in 0 Posts
    Why not use a session?

  • #7
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,994
    Thanks
    4
    Thanked 2,662 Times in 2,631 Posts
    I'm with Kurashu on that, assuming that you are using apache, it may be better to use a .htaccess file, but being the php forum, lets keep it simple.
    All you need to do is know that a session value is set:
    PHP Code:
    if (empty($_SESSION['IN_SITE']))
    {
         
    header("HTTP/1.0 403 Forbidden"false);
         exit;

    Just throw that onto your page, starting it with a session_start and your good to go. You just need to set it on all of your other pages.

  • #8
    Regular Coder
    Join Date
    Aug 2004
    Location
    The US of A
    Posts
    767
    Thanks
    1
    Thanked 0 Times in 0 Posts
    You could have the page redirect to your index as well or at least display a little more information about what happened.

  • #9
    New Coder
    Join Date
    Jun 2005
    Posts
    35
    Thanks
    0
    Thanked 0 Times in 0 Posts
    unless cookies is enabled the session id would need to end up in the url, and if the site doesn't require things like logins etc, then no need for sessions..

    A workound to the session, would be to the above includes, and at the top of index.php put define('IS_SITE',true); and then at the top of the files that are included, put if (defined('IS_SITE') == false) return FALSE; or some form of handler like a redirect....

    But this will still not prevent the pages from being served... hmm.

    I'm not sure why the deny statemnet is not working for you, would have to look at the apache docs if this due to some constraint by Apache in the conf files - but I've never come across that problem before...
    Last edited by devosc; 06-05-2005 at 07:20 AM.

  • #10
    Regular Coder
    Join Date
    Jan 2003
    Location
    West Virginia
    Posts
    110
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Thanks everyone. I am actually thinking of using a login, so in that case, would you recommend adding the session? Here is the login.php I would use, so how would $_SESSION be best integrated, so there is no conflict?
    Code:
    <?php
    // Define username + password
    $username = "user";
    $password = "pass";
    
    if ($_POST['txtUsername'] != $username || $_POST['txtPassword'] != $password) {
    
    ?>
    
    <h1>Login</h1>
    <form name="form" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
        <p><label for="txtUsername">Username:</label>
        <br /><input type="text" title="Enter your Username" name="txtUsername" /></p>
    
        <p><label for="txtpassword">Password:</label>
        <br /><input type="password" title="Enter your password" name="txtPassword" /></p>
    
        <p><input type="submit" name="Submit" value="Login" /></p>
    </form>
    
    <?php
    }
    else 
    {
    ?>
    <!-- xxxxxxx -->
    
    <html>
       <head>
           <title>Index Page</title>
       </head>
       <body>
        <a href="pages/index.php?page=about_us">About Us</a>
       </body>
    </html> 
    
    <!-- xxxxxxx -->
    <?php
    }
    ?>
    Reno CF

  • #11
    New Coder
    Join Date
    Jun 2005
    Posts
    35
    Thanks
    0
    Thanked 0 Times in 0 Posts
    I would look into why you're having that problem with the .htacess file, even ask your webhost - really you shouldn't have this problem and it, the .htacess file, will come in handy later...

    Logins...

    You need a login.php.

    Once the login form has been submitted (presumably back to its self), and upon verification, it will then do something like $_SESSION['logged_in'] = true; after which any page that is navigated to from then on, one can then have a check to determine if(isset($_SESSION['logged_in']) and $_SESSION['logged_in'] === true);

    There are loads of tutorials on sessions, logins, I would have a look. Having said that depending on what you want your site to do and who it is for, there are lots of things related to sessions, logged in users, search engine optimization, i.e. why not try and find an application that already has these features and customize the application to suit your needs, strip out parts if needed, this way you won't be building a site (literally from square one), which many other applications have already started to do for you already etc...

  • #12
    Regular Coder
    Join Date
    Jan 2003
    Location
    West Virginia
    Posts
    110
    Thanks
    0
    Thanked 0 Times in 0 Posts
    I would look into why you're having that problem with the .htacess file
    I agree. It's weird, as I've used htaccess before at this server without a problem, and weirder yet, I got a message this morning from them saying that my allowable space was 99% used up. When I checked the folder where I put that htaccess file, it had generated a file named "core" that was 14 MB! When I downloaded and examined it, there was a bunch of gibberish (like machine code). So naturally I deleted it and got my space back. Working on the web is one mystery after another!
    why not try and find an application that already has these features and customize the application to suit your needs...
    I swear, that's exactly what I was doing when the email arrived about your latest post. I think I've found something (called "Obie Quick Authentication"), so I'll mess with that to see what happens.

    Thanks again for your help....
    Reno CF

  • #13
    Regular Coder
    Join Date
    Aug 2004
    Location
    The US of A
    Posts
    767
    Thanks
    1
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by devosc
    unless cookies is enabled the session id would need to end up in the url, and if the site doesn't require things like logins etc, then no need for sessions..
    Your logic amazes me. These is a perfect example of using sessions. It is self-contained, easy, and most importantly works. Ever heard of Occum's Razor? The simplest solution is the right one.

    So before you go and get your panties in a bunch and create a huge script to do this you can create a simple five, maybe six, line function to check this for you.

    PHP Code:
    function check() {
     if(!isset(
    $_SESSION['in_site'])) {
      
    header("HTTP/1.0 403 Forbidden"false);
      exit; 
     }


  • #14
    New Coder
    Join Date
    Jun 2005
    Posts
    35
    Thanks
    0
    Thanked 0 Times in 0 Posts
    I admit, my thinking may of been a little confused, or rather I was trying not to then move into other things, but even so, what happens when I send someone a link containing the session id ? unless the session has expired, they would be able to link / access the page directly ? (same applies even if some sort of login implementation existed)
    What I was trying to accomodate, although thinking now it problem isn't possible is for these pages to still be spidered for content without the needed for a session id, so yes this convoluted thinking may of been incorrect, for example, it would be nice if these pages could be spidered for content, se listings, but at the same time prevent other sites from linking the site in one of their frames (without javascript detection), but yeah not possible I suppose.

  • #15
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,994
    Thanks
    4
    Thanked 2,662 Times in 2,631 Posts
    Lol
    Using defined variables will also work, but only if you are planning on including a page into another. In fact, I would also like to mention that using a constant is probably more reliable if you are planning on protecting a file that must be included into another file - less code that way, same effect. The constant will disappear after the script run so using it to valiadate referrers isn't really an option, hense my use of sessions instead. Enable sessions.use_trans_sid and you don't need to append your sessions.


  •  
    Page 1 of 2 12 LastLast

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •