-1

I am trying to prevent users from connecting to certain pages with a script. Thus, is there any method I can use to detect if a connection to a specific web page is a client browser versus an automated script?

I know certain headers can be spoofed, but is there another mechanism I can use; say like if unable to set a sesseion_start or setCookie. Do those return true/false values if able or unable be to be set?

Something like:

$sessionID = session_id() ;
$isSet = setCookie('cookieName',$sessionID, [ .... ]) ;
if ($isSet == false) {
   ... do something to kill the session
   ... or do something to redirect
}

Is this even possible? And even if it is, I know this probably isn't reliable, but what would be a better or more reliable method?

And to clarify, detect if its a script and if so, kill it before even serving the rest of the html page.

rolinger
  • 2,787
  • 1
  • 31
  • 53
  • 1
    Isn't this what Captchas are for? Are you a Robot? – devlin carnate Nov 09 '22 at 17:00
  • True, but I am trying to stop the connection from evening happening. Like determine its a script, if so, kill it before even trying to server up the page. – rolinger Nov 09 '22 at 17:01
  • On the server side, there is no reliable way (request is request). You can only guess from the details of the request or from the timing of subsequent requests, but you can't be 100% sure. – Honk der Hase Nov 09 '22 at 18:56
  • Does this answer your question? [PHP - how to best determine if the current invocation is from CLI or web server?](https://stackoverflow.com/questions/933367/php-how-to-best-determine-if-the-current-invocation-is-from-cli-or-web-server) – Markus Zeller Nov 09 '22 at 21:10

3 Answers3

0

If you are trying to prevent pages from being called entirely, you can reliably do this with a combination of using an .htaccess file and a php "check" file .. This will check to see if the requested file came from your scripts, or an outside source. Make a directory, and put your "hidden" script files in it along with the following 2 files:

.htaccess

php_value auto_prepend_file check.php

check.php

<?php
    if( !@$_SERVER["HTTP_X_REQUESTED_WITH"] ){
        header('/page_404.php'); // Or whatever you want it to do.
        exit;
    }

All the .htaccess directive does is make check.php happen before every script call -- So technically you COULD just include check.php at the top of every file .. But I find this a more complete, elegent solution.

Zak
  • 6,976
  • 2
  • 26
  • 48
  • Thanks Zak, but can't a script also pass `HTTP_X_REQUESTED_WITH` in its connection header? – rolinger Nov 09 '22 at 17:11
  • @rolinger -- Technicaly, yes. However you can also set the REQUESTED WITH in addition to a session variable which cannot be mimicked unless the "bot" visited" your page first .. The point is, put all your secret files in one place, use a single conditional, or multiple conditionals (REMOTE_HOST, REQUESTED_WITH, _SESSION) in that IF statement. -- It's a blanket cover-all solution.. – Zak Nov 09 '22 at 17:20
0

You can check with php_sapi_name() if you are running on CLI.

This example will only allow scripts from CLI.

if (PHP_SAPI !== php_sapi_name()) {
    die('CLI only');
}

You can reverse the condition to make it only running for web server.

if (PHP_SAPI === php_sapi_name()) {
    die('Web Server only');
}
Markus Zeller
  • 8,516
  • 2
  • 29
  • 35
  • [PHP - how to best determine if the current invocation is from CLI or web server?](https://stackoverflow.com/questions/933367/php-how-to-best-determine-if-the-current-invocation-is-from-cli-or-web-server) and [In PHP, how to detect the execution is from CLI mode or through browser ?](https://stackoverflow.com/a/1991365/2943403) and [What is the canonical way to determine commandline vs. http execution of a PHP script?](https://stackoverflow.com/q/173851/2943403) – mickmackusa Nov 09 '22 at 20:02
  • [The fundamental goal of closing duplicate questions is to help people find the right answer by getting all of those answers in one place.](https://stackoverflow.com/help/duplicates#:~:text=The%20fundamental%20goal%20of%20closing%20duplicate%20questions%20is%20to%20help%20people%20find%20the%20right%20answer%20by%20getting%20all%20of%20those%20answers%20in%20one%20place.) – mickmackusa Nov 09 '22 at 20:37
  • @mickmackusa Should we mark the question as duplicate instead of commenting this answer? – Markus Zeller Nov 09 '22 at 20:39
  • If you think this is the correct answer, then the best action for Stack Overflow is for you to vote to close as a duplicate, then see if your nominated dupe target would benefit from your insight. If you have something unique and valuable to add to SO, please add an answer on a canonical page instead of a new question. – mickmackusa Nov 09 '22 at 20:43
-4

You can use UserAgent

(You can see how to get it here : How to get user agent in PHP)

This will let you know user web browser which -I assume- will be different for 'scripts'

HmBloqued
  • 62
  • 3