1

I have a flask app that redirects to a php site on an Apache server. I don't have much experience with php. The flask app is at mysite.xyz and the php site is at mysite.xyz/page1. I would like to deny access to anyone going to mysite.xyz/page1 unless they are coming from mysite.xyz. Something along the lines of:

if not coming from 'mysite.xyz':
    redirect to 'mysite.xyz'
else:
    pass

Except at the beginning of my php and in php.

Mike Kruse
  • 15
  • 1
  • 5

1 Answers1

0

Look at http://php.net/manual/en/reserved.variables.server.php and check the 'HTTP_REFERER' part.

Example Code:

<?php
if($_SERVER['HTTP_REFERER'] == "mysite.xyz"){
    // ok, continue to load the page...
}else{
    die("not allowed");
}

However, you can SPOOF the referrer to make it seem to be coming from mysite.xyz (but it is not the case) so it will never be secure.

Is there an option to provide an authentication system to your users to be able to handle this functionality without security flaws?

Cagy79
  • 1,610
  • 1
  • 19
  • 25
  • I added that code to my page1 and $_SERVER['HTTP_REFERER'] returns blank, so I guess that is out. However, your last comment makes me think that there is a better way to accomplish what I want. mysite.xyz is an login app in flask that redirects to mysite.xyz/page1 if they are an authorized user. I don't want people to be able to access mysite.xyz/page1 directly without logging in through the flask app. Is there a better way to do this? – Mike Kruse Aug 07 '17 at 00:37