2 Replies Latest reply on Aug 29, 2006 6:03 AM by Newsgroup_User

    Referer Access only

    Jamal_Dayes
      I have a group of web pages (PHP) that I only want to allow access to if the user comes from a specific URL, Otherwise I want to divert all other users back to the login page of the external website.

      A better way of describing this would be: The external site has a members' area and I want my site to form part of the membership area, thus only users coming from within the members area can access my pages. The Link to my site will come from a specific page in the members area so I was thinking that I could use some sort of referer URL access script to check where the user is coming from before granting access.

      Any ideas how I can approach this?
        • 1. Re: Referer Access only
          Level 1
          Putall of your user access pages under the same folder and grant user access only to the parent folder. Everything under there will be un readable by anyone not logged into the parent folder.
          • 2. Re: Referer Access only
            Level 7
            On Tue, 29 Aug 2006 09:11:08 +0000 (UTC), "Jamal Dayes"
            <webforumsuser@macromedia.com> wrote:

            >The external site has a members'
            >area and I want my site to form part of the membership area, thus only users
            >coming from within the members area can access my pages.


            There is no reliable way to do that when the referring page is from
            another site. The HTTP_REFERER header is unreliable because some
            firewalls, proxy servers, and even some browsers block it. It's also
            easily faked when it is sent.

            Now, how important is this? If it's okay that it's not reliable, it
            would be easy enough to do using a bit of PHP. Just put something like
            this at the VERY TOP of the source code of your page:

            <?php
            if($_SERVER['HTTP_REFERER'] &&
            $_SERVER['HTTP_REFERER']!=" http://example.com/page.html")
            header("Location: http://www.example.com/login.html");
            ?>

            Change the 2 URLs to match the referring page and the login page
            respectively. It will allow anyone in where the referrer is not
            received, or where the referrer is the specified page. It will re-direct
            anyone where the referrer is received, but does not match the specified
            page.

            Gary