-2

I want to hide the url of a specific page to prevent users accessing it directly.

I have a form which users have to complete before being redirected to www.******.com/xyz.php.

When they have completed the form and been redirected, is it possible for the url to be displayed as www.******.com?

look forward to any advice!

Vadim Kotov
  • 8,084
  • 8
  • 48
  • 62
Warren Swindell
  • 1
  • 4
    Why are you redirecting them? Why not just serve the content in response to the POST request from the form? – Quentin Sep 04 '17 at 15:18
  • 1
    Never think in terms of "hiding from the URL". The page the user sees is determined by the URL. The URL displayed in the browser is of the page the user sees. You cannot have the user visit page A but display page B in the address bar. If they're visiting page B, then page B is displayed in their address bar, otherwise they wouldn't be visiting page B. What you need to get into is the request-response thinking of HTTP, and that your server is always in full control of what *response* it sends to what *request*. URLs are just a small part of that. – deceze Sep 04 '17 at 15:31

1 Answers1

0

Whilst it may not be best practice you can serve one set of html for an Http Get action and another for the Http Post action. Your get action can return the form and the response to the post action could return your second page.

There are a number of reasons that this is a bad idea, these include

  • Http Post is meant to cause a state change, not guard access to a page
  • It is easily defeated with any sort of proxy or rest client
  • Navigation in the browser may behave unexpectedly
  • The user would have to fill in the form for each visit.

It is far better to come up with an alternative solution like generating a temporary access token or setting a cookie to say that they have completed the form.

The best solution is perhaps up for debate, but a simple is solution is to have two .php pages Let's call them index.php and form.php. Your web server is configured to serve up index.php when a GET request is made to www.example.com. (The exact method to do this will depend on your server software).

index.php checks for a cookie and redirects to form.php if the cookie is not set. See this question/answer for more details

form.php responds to a GET request by serving the html for the form and to a POST request by setting the cookie and redirecting back to index.php.

ste-fu
  • 6,879
  • 3
  • 27
  • 46
  • "Easily defeated"…? It's not exactly supposed to be a defence against anything to begin with… – deceze Sep 04 '17 at 15:28
  • @deceze "to prevent users accessing it directly" - but maybe defence is still a bit too strong – ste-fu Sep 04 '17 at 15:40