We have a public website that has a index.cfm page which
consists of framesets.
Users are able to simply call one of the frames (the
report.cfm) page and we would like to restrict that page from
displaying in a standalone mode. In other words, report.cfm page
should only work if its loaded as part of the entire frameset in
the index.cfm and accessing report.cfm by itself should not work.
Is it possible to do this?
In the page you want to "protect", check to see if the
HTTP_REFERER is the frameset page. If not, you can abort,
CFLOCATION to the frameset page, etc. See concept code below.
You realize, of course, that people can prevent http referal
info from being provided. If they try to access your page the way
it was intended, through the frameset it won't work.
Another alternative is to add a url variable to your
hyperlink and check for it in report.cfm.
The report.cfm page does use a URL variable being passed from
the frameset. (
http://xxx/report.cfm?ID=#ID#). Certain users are using that page directly and bypassing the
main index.cfm page that has all the frames.
Therefore we need a way to ensure that report.cfm page does
not load as a standalone page and is always part of the frameset.