[RESOLVED] Prevent Direct Access By Requiring Click from Other Page

rsmith

I know that using the HTTP_REFERER isn't necessarily the best method seeing as that it can be spoofed or altered but what are community members doing to meet the following: A page exists that must not be accessible unless the link on another page is the method that delivered them there? If someone attempts to simply type in the URL there should be a die("Direct Access Prohibited"); statement to kill the access.

My scenario. I have a view.php file that accepts an "id" through GET via "view.php?id=1" for example. view.php itself should not be accessible unless the user clicks from the page that links to it. I've already handled the logic checks on the ?id= part to check for validity and die() accordingly but I need to prevent direct access in general.

Thoughts?

Thanks in advance.

bradgrafelman

The problem is that your requirement is impossible. At least, not unless you augment the HTTP protocol and create your own. Otherwise, it's a stateless protocol - there's not supposed to be such a thing as the "previous" request. You've got a current request, and that's it.

There are various ways you can try to violate the standards (using the dreaded 'Referer' header, setting a cookie, etc.), but there's no way simple way to guarantee it.

rsmith

Thoughts about setting a cookie with a short expiry time that auto-clears on browser exit?

bradgrafelman

What happens for the privacy freaks out there who reject cookies from sites they don't know/trust? What happens if someone decides to modify the expiration of the cookie to be some date far into the future?

rsmith

Aha! Well played good sir. I think I've got a good solution in place that will keep the privacy buffs happy. Thanks for the input.