0

Is there a way to make a page (e.g. base-name/admin/cars) inaccessible when writing it on the address bar? I need to make it accessible only by clicking on a link somewhere in the site. Is this possible? I do not know what to try and have searched for this for a while but found nothing.

CH123
  • 251
  • 1
  • 5
  • 15
  • 1
    you could set a session var on the page you have to click the link, then check that –  Nov 10 '17 at 05:55
  • 1
    You can do that with a one-time-use only token – Derek 朕會功夫 Nov 10 '17 at 05:58
  • Post or session variable. Get won't work. – Andreas Nov 10 '17 at 06:01
  • Make the click Event create a session. If the session is not set then redirect using `header('LOCATION:whereYouWantTheRedirect.php'); die;` – StackSlave Nov 10 '17 at 06:04
  • You may be able to just use `$_SERVER['HTTP_REFERER']` if it's only one page that has the link. If it's multiple pages it will be hard to maintain and post/session will be easier – Andreas Nov 10 '17 at 06:05
  • @PHP you don't need to make a click set the session. If you are on the page with the link the session can start and set the variable – Andreas Nov 10 '17 at 06:06
  • `$_SERVER['HTTP_REFERER']` cannot be trusted. The request was when a link is clicked, otherwise you may have to do work to avoid the unwanted page from loading, when another page is visited. – StackSlave Nov 10 '17 at 06:08
  • As easy workaround you can use an `.htaccess`-file in your root directory where you redirect the incomming request on an URI to the desired URI – Spears Nov 10 '17 at 06:12

3 Answers3

1

You can check the http referrer and if is empty, don't display the page or redirect them. See the following two Stackoverflow pages:

How to check the referrer: Checking the referrer

When will the referrer be empty: In what cases will HTTP_REFERER be empty

SteveB
  • 894
  • 7
  • 15
0

It can be possible in many ways, the way you think, like

  1. Using Session.

As Someone has typed into url.com/this-page , you don't want this page to gets opened untill and unless the user is not logged in. The thing you can do is, at the top of the page, you just need to check the session value. If session is set then its fine, or else it should be redirected to home page.

Example this-page.php let's say in CI I have made a common helper file which will check on all respective pages for session.

function isUser() 
{
    $CI = & get_instance();
    if (isset($CI->session->userdata['User'])) 
    {
      //logged in your stuffs.
    }
    else
    {
      //redirect('login-page');
    }
}
  1. URL Encoding.

By sending time and unique id parameter in link by encoding them. By Opening to that link the unique id will gets decoded and untill and unless it won't get open.

let's say the possible link can be

url.com/this-page/123456abcdef

What you need to do on this page is that, you need to check the id on given URL Link and decode it. If encoded and decoded gets correct value, the page is valid. Make sure that id should be saved anywhere so that you can track and decode it.

$unique_id = base64_decode($id);
 if($unique_id!=''&& $time!='')
{
  $cur_time = time();
  if ($cur_time - $time < 10800) 
  {
    //valid link
  }
  else
  {
     //link has been expired
  }
}
else
{
  // link has been broken.
}
Jaymin
  • 1,643
  • 1
  • 18
  • 39
0

I would do something like this:

document.getElementById('yourLinkId').onclick = function(e){
  // ajax should be here to send simple parameter - we'll call it granted:'yes'
  // upon success - location = 'theRestrictedPage.php'; - yup just like that
  e.preventDefault();
}

Now your PHP in page you want to restrict

<?php
session_start();
if(!isset($_POST['granted']) || $_POST['granted'] !== 'yes'){
  header('LOCATION:thePageAboveTheLinkWasOn.php'); die;
}
// if it passes condition page is accessible

/* if you want to force a click to happen again
unset($_SESSION['granted']);
*/
?>
StackSlave
  • 10,613
  • 2
  • 18
  • 35