Limiting access to a page

wilku

Hello

I've got one page in php (let's call it index.php) that from <iframe> calls another page written in php (be it application.php).
How can I stop users from calling application.php on it's own? I mean if someone wants to use my application for his own site.
First thing I thought was to use $_SESSION and set some varible in index.php and then check it in application.php. But then some intruder would make an invisible frame with index.php, which will create session varible, and visible frame with application.php.
Second thought is to use some kind of time-based hashes but I can't think of anything that can't be fooled.
Any ideas?

leatherback

Hm..

Just a thought..

How about you store -say in your database- a random string whenever the iframe is to be loaded, and you use that random string to load the iframe:

<iframe src="page.php?code=$random">
</iframe>

In the iframed-page you check whether the var code = the stored one, possible linked to the presence of the proper parent.

Hard to spoof. Especially if you would link this to random variable names, stored in the database too ...

Maybe a bit over the top, but well.. If you are experiencing serious trouble..

richie

You can also just check at the top of application.php where the request is coming from:

if($_SERVER['HTTP_HOST']!="your_site_name.tld") {
die('You are not allowed to view this page.');
}

You must be aware that "www.your_site_name.tld" is not the same as "your_site_name.tld".

wilku

Thanks for your replies.

I'll settle for sessions and $_SERVER['HTTP_REFERER'] checking for now and see if it will be abused or not.