0

I have a .php file and I would like for it to only load if the user is coming from a specific page.

i.e. user must be coming from www.domain.com/main/index.php in order for page www.domain.com/web/music/test.php to load.

I have tried this:

<?php 

 $referrer = $_SERVER['HTTP_REFERER']; 

 if ($referrer != 'www.domain.com/main/index.php') { 
die("This page can only be accessed from www.domain.com/main/index.php."); 
 } 

 // put your page code here 

?>

But it gives me this error: Notice: Undefined index: HTTP_REFERER.

Any idea how to do this?

propcode
  • 299
  • 1
  • 5
  • 15
  • From the manual: `The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.` – Daan May 11 '15 at 14:55
  • You need `isset()` because HTTP_REFERER might not be set. With this code you can check for its existence and use it if it is available without errors: `$referrer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '');` This shorthand code is known as **Ternary Operator** – MonkeyZeus May 11 '15 at 14:58
  • @Daan So is there another way to do what I want to achieve? – propcode May 11 '15 at 14:59
  • `$_SERVER['HTTP_REFERER']` isn't reliable anyway. Here, have a read http://stackoverflow.com/a/6023980/ – Funk Forty Niner May 11 '15 at 15:01

3 Answers3

1

One way would be with sessions, add a session on every page.

page1.php:

<?php
session_start();
$_SESSION['PREV_PAGE'] = 'page1.php';

page2.php:

session_start();
if(isset($_SESSION['PREV_PAGE']) && $_SESSION['PREV_PAGE'] == 'page1.php'){
  //Your code here.
}

$_SESSION['PREV_PAGE'] = 'page2.php';
Daan
  • 12,099
  • 6
  • 34
  • 51
  • You need to use `isset` to ensure the value is really set. E.g. when going to the site the first time it wont be set. – Nidhoegger May 11 '15 at 15:03
  • @Nidhoegger Not really necessary for this example, but safer I've edited it. – Daan May 11 '15 at 15:07
0

The easier way would be to use a Session variable.

session_start();
if(!isset($_SESSION['page_referer']))
{
    $_SESSION['page_referer'] = $_SERVER['HTTP_REFERER'];
}

Put that at the top of the page, and you will always be able to access the first referer that the site visitor was directed by.

And don't forget to escape

$_SERVER["HTTP_REFERER"]

since its a common attack vector for web apps.

Hardy Mathew
  • 684
  • 1
  • 6
  • 22
0

You cannot trust HTTP_REFERER. It is not neccessarily set and some user agents can spoof it.

If you want to use it, you need to heck HTTP_REFERER via isset to make sure the value you try to access is really set:

if ((isset($_SERVER['HTTP_REFERER']) &&
      $_SERVER['HTTP_REFERER'] != 'www.domain.com/main/index.php') ||
      !isset($_SERVER['HTTP_REFERER'])) { 
    die("This page can only be accessed from www.domain.com/main/index.php."); 
 }

You should consider another method of achieving the access prevention. PHP has some built-in mechanisms that might help you. You could e.g. start a session and store the last page the user visited everytime a page is opened, then check the session value for the last visited page. See: http://php.net/manual/en/book.session.php

Nidhoegger
  • 4,973
  • 4
  • 36
  • 81