I have this local site where the second page has to only be accessible through a specific button, and not by direct access by writing the URL.
I have this simple example:
Page 1:
<html>
<head><title>page 1</title></head>
<body>
<button type="button"><a href="page2.html">to page 2</a></button>
</body>
</html>
Page 2:
<html>
<head><title>page 2</title></head>
<body>
<h1>PAGE 2</h1>
</body>
</html>
Thanks.
You don't want to rely on the HTTP Referer header to do this since it's easy to fake. The client can simply send the refer header along with the request even though they never loaded the first page.
To accomplish this you will need to generate a unique token (known only to your server and the client) and require that the second page receive this token in order to load the page.
For example:
<?php
function generateToken() {
return base64_encode(random_bytes(64));
}
session_start(); // start a session to store this token
$_SESSION['token'] = generateToken(); // store the token temporarily in the session
// you can also store it in your database or in memcached if you prefer
?>
<html>
<head><title>page 1</title></head>
<body>
<button type="button">
<a href="page2.php?token=<?=htmlspecialchars($_SESSION['token'])?>">
to page 2
</a>
</button>
</body>
</html>
Now the second page will need to verify that this token is correct.
<?php
session_start(); // load the session data
if (empty($_SESSION['token']) ||
empty($_GET['token']) ||
$_GET['token'] !== $_SESSION['token'])
{
echo "You did not reach this page by the link from page1!";
exit; // stop the page from loading
}
?>
<html>
<head><title>page 2</title></head>
<body>
<h1>PAGE 2</h1>
</body>
</html>
Change the button to input and give it a name.
<html>
<head><title>page 1</title></head>
<body>
<button type="button"><a href="page2.html">to page 2</a></button>
<form url="page2.php">
<input type="button" value="1" name="btn" />
</form>
</body>
</html>
page2.php
if (isset($_POST['btn']) && $_POST['btn'] == 1) {
// show page 2
} else {
// show error page
}
