[Resolved] How to refuse users from direct links

chakytito

Hi, i have a website with many boards but before they go into them i would like to be sure they visited a webpage before them, i use to have a referer tag but since the webpage before loads the board using this:

there's no referer variable pass to the next webpage is there other way to stop direct linking to the boards (ie. via add to favorites)

thanks.

drawmack

METHOD ONE
Use IP tracking and a log file, the basics are this

when the page is visited store the timestamp and the uers's ip address into a log file

When the board page is visited check for the existence of their ip and a recent (say 5 or 10 minutes) timestamp in the log file.

If this information exists then create a new entry in the log file with the current timestamp and ip so that they don't expire while they are on the forums. If this information does not exist in the log file redirect them to the page before the forums.

Make sure you keep this file clean by having one of these functions delete any outdated entries in the log.

Benefits: This method is comletely server side so it does not rely on any technology on the user end, which means the user cannot cause it to fail.

Drawbacks: With most internet user's having dynamic ip addresses there is a chance of anmolous behavior such as someone's ip changing while they are viewing the board causing a kick back to the main page, or one user having the ip and visiting the main page then another user getting around the security by incidently getting the same ip. The chances of these events are rare, but possible.

METHOD TWO
Use cookies.

When someone visits the intro page set a cookie to expire in 5 or 10 minutes.

When someone visits the forum check for the existence of this cookie. If it exists recreate it to give them another 5 or 10 minutes. If it does not exist redirect them to the intro page.

Benefits: You needent worry about dynamic ip addresses with this method as it is tied to a browser instead.

Drawbacks: Two people sharing a computer could, unknowingly, by pass your security. The user could turn cookies off which will mean they can never access your forums.

METHOD THREE
Use session variables.

Just set a session variable on the into page and check for its existence in the forum.

If it exists they can view the forum if it does not they are redirected to the intro page.

Benefits: This is the simplest to set up, as it requires no file cleaning or rewritting of a cookie.

Drawbacks: All known problems with sessions.

CONCLUSION
I usually use method one since it is all server side and the dynamic ip probably has such a low probablity of happening.

If you would like some example code just ask.

chakytito

Method Three may work best as method one may cause a little server load as i have many boards and visitors, about method three...

How could it be implemented? have some example code? thanks a lot.

What i first did was to set the referer of the before page to a variable call $referer then pass it to the board on the url and the board checks if a string like "myhost.com" exists on the $referer variable... obviously, this didn't work 'cause if you save the url it also contains the $referer variable (jejeje was a dumb idea).

drawmack

at the begining of every script do this

session_start();
$_SESSION['visited'] = 'code for board they can access';

at the begining of every borad do this

session_start();

if(!(array_key_exists('visited',$_SESSION) && $_SESSION['visited'] == 'code for this board')) {
    header('Location: url of start page');
} //end if

chakytito

Worked great, i did a little research and may be also after the checking the session could be terminated with:

<?php

session_start();

unset($_SESSION['visited']);

session_destroy();

?>

slak

Remember that a lot of AOL users and corporates use the same IP address.

There's also proxies to take into consideration, too.

Sessions are the best way in my opinion.