1

I have a webpage ("research.php") with links to PDF files and want to display a disclaimer ("disclaimer.html") before anyone sees the files. At the moment I've accomplished this by checking the value of HTTP_Referrer and redirecting if it's not from the disclaimer page.

Code:

$ref = $_SERVER['HTTP_REFERER'];

if($ref !== 'http://my.site.com/disclaimer.html') {
  die('<META HTTP-EQUIV="Refresh" CONTENT="0;URL=disclaimer.html">');}

The research page contains links to PDF files that are held in a separate directory which is restricted to local access using .htaccess. PDFs are served by a PHP script ("download.php") that also checks HTTP_Referrer.

I understand that the HTTP_Referrer variable can be spoofed, making this method insecure, and have a couple of questions:

Firstly, is it possible for someone to link directly from a different website to either the research page or the download script and spoof HTTP_Referrer such that their visitors would be able to bypass the disclaimer? Based on a different question, my understanding is that HTTP_Referrer can easily be spoofed on an individual's PC but that it's much harder to do it for a website visitor?

Secondly, are there ways to make the download.php script more secure, for example by putting it in a directory restricted to local access using .htaccess? I'm currently calling the script using a simple link of the form "a href="download.php?..." so my understanding is that this won't work - is that correct?

Any comments appreciated. The bottom line is that I want it to be difficult / impossible to link to the pages or files from another website without showing the disclaimer or without the owner of that website actually storing the PDFs on their website. No doubt any solution will have certain vulnerabilities but what I'm trying to understand is how tricky it is for an experienced web designer to bypass the disclaimer page.

UPDATE: jszobody's response below clearly outlines a better way of doing this and so answers the question - but I'd still be interested to know how much work is involved in spoofing HTTP_REFERRER from a link on a 3rd party website if anyone can explain it simply.

Community
  • 1
  • 1
Si_Reid
  • 13
  • 3

1 Answers1

3

I'd consider using session for this.

On disclaimer.php:

session_start();
$_SESSION['viewed_disclaimer'] = true;

On research.php:

session_start();
if(!$_SESSION['viewed_disclaimer']) {
    header("Location: disclaimer.php");
    die();
}

You get the idea. You could also protect the individual PDF files by not linking to them directly, but rather using a PHP passthrough script.

Call it download.php:

session_start();
if(!$_SESSION['viewed_disclaimer']) {
    header("Location: disclaimer.php");
    die();
}

$filename = basename($_GET['filename']);
if(file_exists("path/to/my/pdfs/" . $filename) { 
    // Send headers for a PDF file, and read out the file
}

Then you can link to download.php?filename=myfile.pdf from research.php.

Make sense?

jszobody
  • 28,495
  • 6
  • 61
  • 72
  • Many thanks for this - I considered going down this route but wondered if HTTP_REFERRER was a simpler way to accomplish what I was looking for. Is it easy to explain why using sessions is a more secure way of doing it? – Si_Reid Nov 14 '13 at 13:45
  • Because outside websites and users can't spoof a session variable. Only you can set those. – jszobody Nov 14 '13 at 13:49
  • Also, I already have a download.php script in the same vein as you suggest but checking HTTP_REFERRER rather than using sessions. Is it necessary / possible to protect the download.php script by putting it into a restricted access directory? – Si_Reid Nov 14 '13 at 13:50
  • Typically "restricted access directory" means password protected. Do you want downloads to require a password from the user? If so, sure go for it. If all you want is to verify they've seen the disclaimer, then no that doesn't help you at all. – jszobody Nov 14 '13 at 13:52
  • I was thinking along the lines of using .htaccess to restrict access to localhost rather than from external pages (in the same ways as download.php allows you to protect the PDF files from external access) but I'm not clear if that works in this case given that the link will be from a standard html page rather than a PHP script? – Si_Reid Nov 14 '13 at 14:01
  • Restricting access to localhost will mean no users can hit that page at all. The session answer is simple, covers all your bases, can't be spoofed... it's everything you wanted right? I'm confused as to why you're still looking for a different solutions. – jszobody Nov 14 '13 at 14:04