Restricting access if not coming from certain referer(s) PHP

Question

I am racking my brain as to why this isn't working.

What I would like to achieve, is to restrict access to a page on my own Website, only if coming from a certain website, Facebook for instance.

Since a link will be posted on 1 or more Facebook pages and/or my personal profile, would like the script to execute if coming from Facebook and/or any other "PAGES" it's posted on.

For instance, if I post my link on www.facebook.com/This_is_my_PAGE or is posted on my personal profile www.facebook.com/freds_personal_profile or someone shares my link on Facebook, would like the page accessible only to those coming from the Facebook domain.

I found the script below while searching for a solution, but it's echoing my error message, instead of redirecting to the link in question.

$target_site = 'https://www.facebook.com/';
if (isset($_SERVER['HTTP_REFERER']) && preg_match("/$target_site/",$_SERVER['HTTP_REFERER'])) {
// do something with people from facebook.com
} 

else {
// do something else with everyone else

echo "Sorry, viewable to Facebook fans only.";

}

Perhaps you should echo content of `$_SERVER['HTTP_REFERER']` in your error message. That would give you a hint. — jasonlfunk, Jun 13 '12 at 19:51
HTTP_REFEER is not an obligatory header and it may not be set by the browser. — Zefiryn, Jun 13 '12 at 19:53

score 5 · Accepted Answer · answered Jun 13 '12 at 19:54

5

First of all, your code is flawed because:

What if the user is not using Facebook's "Secure version" (http rather than https)?
What if the user is coming from facebook.com rather than www.facebook.com?
What if a malicious user is tricking users into coming from a site like http://example.com/evilpage.php?https://www.facebook.com/?

The main reason it doesn't work is because your regex is completely invalid. Instead, it should be along the lines of:

preg_match("/".preg_quote($target_site,"/")."/i",$_SERVER['HTTP_REFERER']);

(documentation on preg_quote())

Aside from all of this, there is no security in checking the referrer. It can be changed, it can e blocked altogether. It should not be relied on.

answered Jun 13 '12 at 19:54

Niet the Dark Absol

320,036
81
464
592

I took this from another similar question asked on SO, thought it would've held water. It was an accepted answer. – Funk Forty Niner Jun 13 '12 at 20:03
2

An answer being accepted means that the person asking the question found it to be correct. That doesn't mean it's the best answer nor that it's even right at all, just that it helped the most in the asker's opinion. – Niet the Dark Absol Jun 13 '12 at 20:04
True Kolink. I will be more vigilant, if and when there's a next time. – Funk Forty Niner Jun 13 '12 at 20:09
I take it that using `.htaccess` would be a more secure method(?) – Funk Forty Niner Jun 13 '12 at 20:17

score 1 · Answer 2 · answered Jun 13 '12 at 19:53

1

Facebook hooks up external links to the http protocol, not https. Change your target site to this:

$target_site = 'http://www.facebook.com/';

You can confirm this by right-clicking a link posted in facebook and copying it to the clipboard (then pasting it). You'll see it looks like this:

`http://www.facebook.com/l.php?u=...`

This is the case regardless of whether you are actually browsing with https or http.

answered Jun 13 '12 at 19:53

Ben Lee

52,489
13
125
145

I did try that Ben thanks, even with http and https and it's still showing my error message. That's what I don't get. – Funk Forty Niner Jun 13 '12 at 19:56
Fred, also I just noticed your regex is completely busted. See @Kilink's answer. – Ben Lee Jun 13 '12 at 19:57
I'm working on his code now, getting a 500 error for some reason. – Funk Forty Niner Jun 13 '12 at 20:04
Update: Works! Kolink was right on the nose, and I appreciate your added input as well. the l.php?= was a nice touch. Cheers~ – Funk Forty Niner Jun 13 '12 at 20:13

Restricting access if not coming from certain referer(s) PHP

2 Answers2

Linked