0

I have to code a page that will only allow users that click on a specific link to access that page. I don't want people to be able to type the address directly into the address bar and have access. Only from a specific page and a specific link on that page.

Security is important as it is for a product download.

Anyone know how I would do this in PHP?

Dustin James
  • 575
  • 9
  • 21
  • possible duplicate of [Preventing direct access from url](http://stackoverflow.com/questions/7414323/preventing-direct-access-from-url) – Marc B Dec 01 '11 at 17:28
  • @MarcB Sorry mate, I had a good look through existing questions and didn't find what I was looking for. I don't think this is a duplicate of your link though. – Dustin James Dec 01 '11 at 17:39
  • There's plenty of other versions of this question floating around. And they all boil down to the same thing: at most you can make it harder to prevent direct access, but you can't make it impossible. – Marc B Dec 01 '11 at 17:49

6 Answers6

1

You would need to establish session tracking (logging users in). Simply using a link and using a referral type check is not enough.

Also for downloads I would create a handler like a download.php file that would fetch the required page to download.

That way nobody will copy your documents if someone has access once.

Jakub
  • 20,418
  • 8
  • 65
  • 92
1

Your best bet is to use sessions and have a user authenticated. Then you check whether they have logged in at the top of this "download" script.

Alternatively, you can check use the $_SERVER['HTTP_REFERER'] variable and check at the top of your page that they are coming from the correct place. This would (I think) prevent users from just going straight to the download page by typing in the URL

if ($_SERVER['HTTP_REFERER'] == 'http://mysite.com/downloadlist.php') {
    //proceed
} else {
    //kick user out
}

But like I said, sessions are the way to go here. From the PHP manual on HTTP_REFERER:

The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.

MikeMurko
  • 2,214
  • 1
  • 27
  • 56
  • 2
    the referer can be forged easily :( – Tomáš Fejfar Dec 01 '11 at 17:32
  • As I mentioned in my answer. But the OP obviously isn't interested in tight security if this is how he/she wants to go about things. – MikeMurko Dec 01 '11 at 17:33
  • The challenging part is that the page they will be coming from is a third party page, therefore, I can't do much with the code there except post a link on that page that directs the user to the download page. @MikeMurko - wouldn't your solution work in this scenario as it will be a specific page they are linking from? If I set the referer to that page, theoretically, it seems like that would do it - thoughts? – Dustin James Dec 01 '11 at 17:42
  • Yup that's exactly what you would do. Set the if statement to check whether it comes from that third party's website. – MikeMurko Dec 01 '11 at 17:53
1

I would use one time hashes for download. User is presented with download page and link like:

/download.php?downloadId=3B4A34086BH56FH5343DC

The hash is stored to database. In download.php you check if the hash is in database. If it is, you push the download data and remove the hash from database. If anyone else would try to use that link, he will not get the data, because the hash won't be in database anymore.

(same can be archived with hash-named files and unlink() if you don't have database access)

Tomáš Fejfar
  • 11,129
  • 8
  • 54
  • 82
1

You should not use the referer as an authentication method. The referer can easily be changed or set. For example, this command sets my referer to stackoverflow.com:

curl -e http://stackoverflow.com/ -D - brb3.org/referrer.php

It's output would look something like this:

HTTP/1.0 200 OK
Date: Thu, 01 Dec 2011 17:43:55 GMT
Server: Apache/2.2.16 (Debian)
X-Powered-By: PHP/5.3.3-7+squeeze3
Vary: Accept-Encoding
Content-Length: 54
Content-Type: text/html
X-Cache: MISS from localhost
X-Cache-Lookup: MISS from localhost:8080
Via: 1.0 localhost (squid/3.1.14)
Connection: keep-alive

$_SERVER['HTTP_REFERER'] = http://stackoverflow.com/

You should instead use a one-time hash download script, or sessions.

Valnour
  • 11
  • 1
0

You can used PHP HTTP Authentication:

http://php.net/manual/en/features.http-auth.php

whobutsb
  • 1,075
  • 4
  • 13
  • 28
0

You could also use some JS so attach some POST parameters when the user links to your page and have a quick and dirty test that way. A link on how to do it is HERE. Iaggree with the others that the best way and most secure way is to use some form of authentication.

Community
  • 1
  • 1
Ian
  • 3,806
  • 2
  • 20
  • 23