Using sessions to prevent direct access of frameset files

schwim

Hi there everyone,

I'm creating an HTML sandbox that utilizes a frame page. Top is HTML submission, bottom is output. I would like to ensure that the top and bottom pages are never accessed directly, since they both require variables that can't be set for obvious reasons if not called from the framed page.

main.php calls input.php and output.php. If input.php and output.php aren't in the frames of main.php, then I don't want them to be accessible.

I've tried $_SERVER vars, but , since it's called via a frameset, they carry their own server variables.

Javascript is not an option for anything like this.

Sessions! I think this is the trick, but it's not working for me. Here's what I'm trying:

main.php:

<?php

include("./includes/session.php");

$_SESSION['included'] = '1';


echo("
<FRAMESET ROWS='400,*'>

<FRAME NAME='input' SRC='./input.php'>
<FRAME NAME='output' SRC='./output.php'>

<NOFRAMES> ... </NOFRAMES>

</FRAMESET>
</html>");

UNSET($_SESSION['included']);

?>

input.php and output.php:

<?php

include("./includes/session.php");

if(!ISSET($_SESSION['included'])){
	die("You can not access this file directly.");
}

echo("stuff");

?>

Since both files are being called after the session creation, I was sure that this would work, but I've either implemented it incorrectly or it's not possible to do it via this method. The inclusion of session.php is the start of the php session.

Am I going about this incorrectly? Did I just implement it incorrectly? Trying to echo the $_SESSION['included'] in input.php reveals that nothing is set. If I echo it in main.php however, it is present and accounted for.

Any help would be greatly appreciated.

thanks,
json

bretticus

frames are loaded by the browser. Meaning, the php in input and output will not be parsed before the last line of main.

Instead it will execute like this:

main->browser loads main->browser requests input and output->input->output->browser loads input and output.

When you unset the session variable in your main script, it is unavailable in input and output. Instead, perhaps, get rid of the variable in your output script (since it is called for last.)

Another option is to simply use $_SERVER['HTTP_REFERER'] to ensure the referrer is your main script.

schwim

Hi there Bretticus and thanks very much for your help.

Removing the UNSET from main.php does not work. input.php continues to disregard the session var.

I will try playing around with REFERER, but am confused as to why main.php doesn't share the session var.

thanks,
json

bretticus

Do you have a session_start() in your session.php file? Do you have cookies disabled?

schwim

I should have stated this initially. Very sorry.

Other than this one issue, all other features utilizing the session system is working as intended. The page will only load if you're logged in and session.php starts the session.

Very sorry for the lack of info.

thanks,
json

Weedpacket

bretticus wrote:
Instead, perhaps, get rid of the variable in your output script (since it is called for last.)

I'm not sure you can rely on this; no guarantees are made about the order in which ancillary requests are made - even if there were, there can be the occasion when input and output are requested concurrently, and even if input is requested just before output, something might happen along the way that results in the request for output arriving at the server first.

Is it crashingly important that the frames don't get loaded separately? You say that they rely on certain variables being set. What if you simply add failsafe code that handles the case where those variables are not set and sends maybe blank, or a redirect to the proper page?