deny access when browsed directly?

bbeban

I am trying to deny access to a page when the user types the url into their location bar, and I can't seem to figure out how to make it work dependably. The pages in question are part of a chain that gets kicked off when the user clicks a link and a popup window appears. I want to make sure that no one can simply type the url of this popup into their browser and alter the url.

Can anyone out there help me with a method and some code to start off with? This one is driving me nuts... I've tried using Javascript to check for document.referrer, but since the urls are dynamic it's not working. I've tried establishing a session, but not implemented it well, I think, and again it's not consistent. This seems like such a simple thing I must need to step back and re-examine what the easiest way to do this is. Please help!

Thanks --

leatherback

Well,

sessions SHOULD work. You could store a variable $lastpage, and have every page set this variable. In the page you then check wether the last page is part of a set of pre-defined optional pages.

Maybe you can show us the code of teh session, and perhaps spot a mistake?

Of course, the $_SERVER[HTTP_REFERER]; is an other thing to check for: Is the referring page correct?
J.

razz

I use SESSION's. As an example:

1 User registers their info into register_form.php.

2 The form is sent and validated and sent to a confirm page of reg_confirm.php ( gives them a chance to make changes).

3 Upon confirm they are sent to get Credit Card Info on cc_form.php.

This goes on a few more pages too, but you get the idea.

I don't want them going to the confirm.php before register. I don't want the cc_form.ph until the confirmation.

On the first page (register_form.php) I test for SESSION abilities and that's all.

Then upon submit their input is validated through some function in an included file. If all validates the validate function ends by setting a progress test flag and redirecting them as follows:

			$_SESSION['user_reg'] = 1;
			header('LOCATION: register_confirm.php');

That sets the progress flag to 1 and sends them to the confirmation page.

On the confirmation page register_confirm.php I have the following code:

/
From access_fns.inc to check for set session flags and make sure
the user has filled in the register_form.php page
FORMAT is access_test(variable_name, variable_value, required_value)
/

access_test('user_reg',$_SESSION['user_reg'],1);

This calls a function in an included file. It takes the name of the variable, the value of the variable, and the required value for the page.

the function is as follows:

// Check for the variable value is set to the right flag - FORMAT is access_test(variable_name, variable_value, required_value)

function access_test($variable, $var_value, $flag)
{
if ($var_value != $flag)
{
if ($var_value < $flag)
{
if ($variable == 'user_reg')
{
$_SESSION['error'] = 'regorder';
}

           			if ($variable == 'test_order')
               		{
                   			$_SESSION['error'] = 'testorder';
           			}

               		if ($variable == 'admin')
               		{
	                   		$_SESSION['error'] = 'admin';
	               	}

               		if ($variable == 'valid_user')
              		{
                   			$_SESSION['error'] = 'valid_user';
               		}

          		header('LOCATION: ../index.php');
          		exit;
     	}	

}

}

It tests for the required value and sets a SESSION error if access flags do not match. Then, if it does not match it sends you to the index.php file with the error set.

If it matches it does nothing. (You could have it return true or something if needed.)

The index.php page displays the error as follows:

// DISPLAY SESSION ERROR

if ($_SESSION['error'])
{

switch($_SESSION['error'])
{

	case 'regorder':
		echo '<center><font face="arial,helvetica" color="EE1D25" size=-1><b>Access Denied</b><p>You have tried to access a registration page out of order.</font></center>';
		unset($_SESSION['error']);
		break;

	case 'testorder':
		echo '<center><font face="arial,helvetica" color="EE1D25" size=-1><b>Access Denied</b><p>You have tried to access a test page out of order.</font></center>';
		unset($_SESSION['error']);
		break;

	case 'admin':
		echo '<center><font face="arial,helvetica" color="EE1D25" size=-1><b>Access Denied</b><p>You have tried to access the Administration area.</font></center>';
		unset($_SESSION['error']);
		break;

	case 'valid_user':
		echo '<center><font face="arial,helvetica" color="EE1D25" size=-1><b>Access Denied</b><p>You have tried to access the Testing Center without a valid login.<p>Please register or login.</font></center>';
		unset($_SESSION['error']);
		break;
}

}

If I need the error shown somewhere special, or more than once, I will not echo it and will store it as:

	case 'valid_user':
		$_SESSION['msg'] = '<center><font face="arial,helvetica" color="EE1D25" size=-1><b>Access Denied</b><p>You have tried to access the Testing Center without a valid login.<p>Please register or login.</font></center>';
		unset($_SESSION['error']);
		break;

That way I can display the text anywhere I want.

Hope that helps.

razz