[RESOLVED] send and retrive a custom header to check user validity?

Zpixel

i want to prevent users from saving and editing my pages.there may be different ways to do so, but using a custom header i can write:

header("checkHeader: headerid=Dw1506"); for example.

how can i retrive this header in the target page?

laserlight

They can always save the clientside source code that is served to them, but unless there is a server error or you distribute the code, they cannot save and edit your server side source code.

Zpixel

excuse me. i want to prevent users access a page directly.
how can i read my custom header?

Weedpacket

You can't: the header you send out is part of your response to their first request. The headers that are part of their second request are an entirely different beast. Besides, they have to ask for the page before you serve it to them, so when were you going to send them the "custom header"?

Zpixel wrote:
i want to prevent users from saving and editing my pages.

Don't put it on the web for them to view in the first place: that's pretty much the only reliable solution.

With the proviso that it's still not clear what exactly you want, a session ID comes close to being a custom header. Look those up and see if they help.

Zpixel

keeping pages on my pc, not a bad idea. :-)
but we can prevent a user to access a page directly. users must go through ref.php to access anyother pages. ref.php sends a custom header and redirects users.other pages check if there is an appropriate header or not.
also as you know users can't save and edit a page if it's been protected by a session, except a clever troubler.

there maybe another ways to check a user validity to access a page, but just to know: is there any instruction to retrive and check a custom header?

laserlight

keeping pages on my pc, not a bad idea.

Or on your server, but outside the document root, e.g., for an include file with sensitive information like database passwords.

but we can prevent a user to access a page directly. users must go through ref.php to access anyother pages. ref.php sends a custom header and redirects users.other pages check if there is an appropriate header or not.

But why bother with that in the first place? What are you really trying to achieve?

also as you know users can't save and edit a page if it's been protected by a session, except a clever troubler.

The session is a server side mechanism that does not prevent users from saving and editing their saved copy of the page.

If you are worried about the contents of an include file being visible to users, the solution is to provide it with the appropriate extension such that it is treated as a PHP script. The user would then be greeted by a blank page if he or she attempts to view it directly.

Zpixel

The session is a server side mechanism that does not prevent users from saving and editing their saved copy of the page.

users can save and edit pages anyway and they may also make some changes in the page code to crash the the serverside scripts. i know that we have to make strong scripts, but when a session is assined to a user,althoug he can save the page, but if he sends his edited pages by submiting a form,for example, his request is refused. because $_COOKIE['PHPSESSID'] is null and you know it better.

But why bother with that

to add another security option, or make it difficult for a hacker to crash my site.
i wrote some code to achive my goal,it works. what's your opinion?

i think there's a way to solve this problem. when user clicks on a link named "link1" a request like this : ref.php?id=account is sent to the ref.php and user can't access the account.php directly.
in the ref.php some security check is done, then using following fsock instruction, we send a custom header to account.php :

$headerid='Dw1506';
$host="example.com";
$path=$_GET['id'] . 'php';
$port="80";
$tout = 5;
$handle = fsockopen($host, $port, $errno, $errstr,$tout);
fputs($handle,"GET $path HTTP/1.1\r\nHost: $host\r\nCustomHeader: $headerid\r\n\r\n");

while(!feof($handle))
echo fgets($handle,1024);
fclose($handle);

now in the account.php we can retrieve the header using:
$header=$_SERVER["HTTP_CUSTOMHEADER"];
if ($header!='dw1506') {
some code;
exit}

laserlight

Ah, so your intention is not to try and prevent copyright infringement, but to try and prevent an attack on your script.

users can save and edit pages anyway and they may also make some changes in the page code to crash the the serverside scripts.

If you properly validate your input, that cannot happen, save for a bug in the web server, PHP interpreter, or database engine. If you do not properly validate your input, you are probably careless enough to allow SQL injection and XSS anyway, so too bad.

i know that we have to make strong scripts, but when a session is assined to a user,althoug he can save the page, but if he sends his edited pages by submiting a form,for example, his request is refused. because $_COOKIE['PHPSESSID'] is null and you know it better.

The attacker can make use of the very session that you provide.

to add another security option, or make it difficult for a hacker to crash my site.

It sounds like security through obscurity to me. I think you should spend your time improving your input validation code instead. Ensure that your code is able to react appropriately to unexpected input, instead of relying on your input being in an expected format and then trying to prevent the user from providing unexpected input.

Zpixel

thank you.