0

Suppose, I am building website. I want the user to be able to access the index.php file only. I also have other files like www.mydomain.com/aboutus.php files and user can access them if he types this in his address bar. I want the user to be able to access www.mydomain.com only.

How are such security features built?

user2178841
  • 849
  • 2
  • 13
  • 26
  • You are looking for a login token(?) or just session/permission cookie. – mario Jul 14 '13 at 19:08
  • what are you asking? lol – Jay Harris Jul 14 '13 at 19:09
  • @mario I do not know details of login token or session permission. I guess just session/permission cookie. But I would appreciate both description. (I guess by login token you mean user permissions and so forth.) – user2178841 Jul 14 '13 at 19:15
  • I still want to know what are login tokens and session permission cookie. I don't know whether to edit the above. or delete it first and google the terms. – user2178841 Jul 14 '13 at 19:20

1 Answers1

0

If I understand correctly that you want to allow them to only be able to access your index/root document (www.mydomain.com/index.php etc.) and not be able to type in: www.mydomain.com/aboutus.php it is fairly simple using the HTTP referrer to make sure that the page they came from was the right one:

Important note (edit): The $_SERVER type variables are susceptible to forgery by the client from something like cURL or even telnet and can be the basis for CSRF type attacks, so this is by no means a secure implementation vs. something like session tokenization.

aboutus.php at the very top:

<?php
// Put the url they came from 
$ref = $_SERVER['HTTP_REFERER'];

if($ref !== 'http://mydomain.com/index.php') {
  die("Must come here from index");
 // uncomment below to redirect them automatically
 // header('location: index.php');
}
// Otherwise they came from index so show the page.
echo "Displaying about page:";
echo $content;
?>
cerd
  • 2,171
  • 1
  • 18
  • 28
  • This isn't truly secure though. The referer can be freely spoofed on client side. – Pekka Jul 14 '13 at 20:53
  • @Pekka웃 - I understand your concern. Might you be able to edit/revise or post a new answer incorporating something like the above but with a $_SESSION token based strategy for this use case? I did some looking around to attempt to edit my answer to incorporate this, but am not fully confident. – cerd Jul 14 '13 at 21:16
  • 1
    @Pekka웃 - edited my answer to include bold disclaimer that this is not a secure implentation/solution vs. something like session tokenization/uids. – cerd Jul 14 '13 at 21:21