0

If I want people only accessing a certain page on my webpage by using a link within my website, and not typing it in the address box then would this do...

Please note that the user would first have to login to their account and all member pages have been set so that the user must login into their account before accessing member pages.

if (isset($_SERVER['HTTP_REFERER'])) {

// show page content

}

else {

header('Location:http://');
exit();
}

Am I correct in saying, that if a link is clicked then the page will show, but if the link is not clicked and the address of where the link points to is typed in the address bar it will do a redirect.

I am asking as the link will direct people to a form, and I don't want that form being accessed without first having some variables set on the previous page, or being accessed without logging in (as people could create their own link on another website which points to the same location)

Thanks

carlgcode
  • 255
  • 1
  • 6
  • 16

5 Answers5

3

It is not secure in any way. From here:

The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.

Andrey
  • 59,039
  • 12
  • 119
  • 163
2

Users can set the referrer to whatever they want, so no, checking that that's set is not a secure way of checking that they came to your second page via the first.

CanSpice
  • 34,814
  • 10
  • 72
  • 86
  • How do they set the referer themselves?? – carlgcode Aug 31 '11 at 23:53
  • The quickest way I would do it would be to just create a host on my system that is www.yourdomain.com and then createa site from there with a link and click. That's how I would do it without any knowledge of actually how to spoof it. I'm sure there are Firefox plugins that spoof it in half the energy I just explained. – Layke Aug 31 '11 at 23:54
1

HTTP_REFERRER can be spoofed pretty easily. When you want forms to be secure, implement some sort of CSRF protection by adding a hidden token to the field and ensuring it matches when you submit the form. Your best bet is to make sure their credentials are actually valid.

Cyclone
  • 17,939
  • 45
  • 124
  • 193
0

This seems very buggy to me; if you want certain variables to be set and / or a user to be logged in, just check for all these conditions at the top of the form-page and redirect the visitor somewhere else if the conditions are not met.

jeroen
  • 91,079
  • 21
  • 114
  • 132
  • Does it not make sense that a user will have to login first, and if not logged in all the pages will be innaccessible, so the page can only be accessed using the link that I have set, no? – carlgcode Sep 01 '11 at 00:10
  • @carlgcode No, the link is not important, you should check on any page that requires the user to be logged in, whether the user is logged in and redirect automatically to the login page or an error page if that is not the case. – jeroen Sep 01 '11 at 01:51
0

I'm unsure what you mean about having variables set from the previous page, or how you are achieving this. Its possible of course, but I would be interested how you are going about it.

You are correct in your question however, that when coming from another page the referrer will be set to that page. In terms of security however, its not a good idea to rely on it as it is easily spoofed. The only sure way is to ask for credentials (a username and password etc) which it sounds like you are already doing.

Could you not test to see if the variables are set, and if they aren't then redirect?

phindmarsh
  • 879
  • 6
  • 11