HTTP_REFERER to Make Sure User Comes From Page X

austingecko

Here is the relevant code ($preview is passed in the link clicked by the user --- this is not a problem):

.....
$goodurl = "http://localhost/foo/bar.php";
$HTTP_REFERER = $_SERVER['HTTP_REFERER']; 
if ($preview != "" && substr($HTTP_REFERER,0,strlen($goodurl)) == $goodurl)
	{
....

Only a user who comes from http://localhost/foo/bar.php (or the same page with any added variables) can access the page with this code.

Fortunately, this works -- in Mozilla. However, it does not work for me in IE. I'm not sure why.

Any suggestions?

Thanks in advance for your help.

( 🙁 vBCode makes me sad --- can't we handle html as easily? )

austingecko

Per <a href="http://www.faqts.com/knowledge_base/view.phtml/aid/31">this thread at FAQTs</a>, I added global $HTTP_REFERER.

Again, still working in Mozilla. Not in my IE 6.0. I read HTTP_REFERER may not work for older browsers, I guess it also may not work for newer browsers?

Well, I'm thinking of an alternative to HTTP_REFERER. What I want to do is this: a user can get to page B only from page A.

I guess I could use sessions, but I would need to erase the session after the user views page B.

the_Igel

Yes, sessions or some likeness of them. Mainly, some unique identifier, md5 or smth, that's given at A and checked at B. And then destroyed. Store it in session or in db or whatever.

austingecko

ok. Here is my code, maybe someone else will benefit.

Script A (where the user comes from) includes:

   $script_pass = 'ok';
   session_start();      

   session_register("script_pass");

Script B (where the user goes and only displays to people from Script 😎

   if ($_SESSION["script_pass"] == TRUE) {
   echo 'Welcome';
   $script_pass = '';
   session_start();      

   session_register("script_pass");   

   } else {
   echo 'You are not welcome.';
   }

The session for script_pass needs to be cleared or it will remain and the user could access Script B from anywhere. I store sessions in the local file, but if you give it to the user via a cookie or something like that, the_Igel raises a good point --- md5 would be a good thing.