Jump to content

Question about $_SERVER['HTTP_REFERER']

jeremyapp

By jeremyapp
in PHP Coding Help

 Share

Recommended Posts

jeremyapp Member

jeremyapp

Posted
Posted

Hi,

 

I work for a publishing company that recently started selling their print books in an eBook format - I've been working on the system to control access.

 

When a customer buys an eBook, they get a link to it, which points to the following php script:

 

http://www.domain.com/viewebook.php?code=(viewing code)&book=(book id)

 

This script checks the code against the database to ensure that it is valid and current, and then checks to see whether the user has purchased access to the specific book id.  If that check is successful, it uses the following code to redirect the user to their eBook (with some pseudo-php to conserve your time):

 

(Code to check for validity)

(if valid)
header("Location: http://www.domain.com/eBooks/$bookname/Default.php?lang=$lang");

 

The obvious problem with this is that this eBook page, "Default.php", can be accessed directly, and is shown clearly in the address bar once the redirect has taken place.  Although I know this isn't ideal, I would like to use the $_SERVER['HTTP_REFERER'] variable to ensure that the user came from the viewebook.php file.  Before you tell me how the referrer is easily spoofed, security is not a huge issue here, and this is only a temporary solution.  However, it seems that this won't work, because the referrer appears to be the page on which the user clicked the link to viewebook.php link, and not the viewebook.php file itself.  Since the book will be linked from multiple places, this won't do.  Is there something else I can do? 

 

Thanks.

 

Link to comment
Share on other sites
jeremyapp Member

jeremyapp

Posted
  • Author
Posted

The trouble is the viewebook.php file is so closely tied in with the current system that it would be easier to design a solution that works with it.

 

Here's an idea, but I'm not quite sure how to make it work.

 

Could I do something like this?

 


(if valid)
$_SESSION['ok_to_view'] = true;
header("Location: http://www.domain.com/eBooks/$bookname/Default.php?lang=$lang");

 

And then have Default.php do this: (sorry in advance about the lack of indentation, I couldn't figure out how to add them in this thing!)


if(!$_SESSION['ok_to_view'] == true) {

echo "error";

} else {

(display eBook)

}

 

The trouble with this, though, is doesn't the session end once the redirect occurs?  Something isn't working, because that code doesn't work as-is.

 

Jeremy

Link to comment
Share on other sites
jeremyapp Member

jeremyapp

Posted
  • Author
Posted

To follow up, I was able to make it work by putting an @ sign in front of the session_start(); to suppress an error it was giving me about the session.  I know it's sloppy but I couldn't figure out what I was doing wrong and this seems to work fine - it said something about the header already being sent (I'd give you the error but I'm not at my work computer).

Link to comment
Share on other sites
PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

Suppressing an error message stating that something is not working does not make it start working.

 

Posting your actual error message will get the quickest solution.

 

A redirect is performed by the browser. As long as the session worked on one page and the session id is sent from the browser to the server (assuming that the host and path settings for the session cookie match the new page) when the URL of the new page is requested, then a session will work on the page that gets redirected to.

Link to comment
Share on other sites
jeremyapp Member

jeremyapp

Posted
  • Author
Posted

Suppressing the error did make it work in this case.  I'll post the error message later to clear everything up but it seems the script stopped executing when I tried to open the session, while suppressing that error let everything work.  My guess is this is a whitespace issue as was described before.

Link to comment
Share on other sites
jeremyapp Member

jeremyapp

Posted
  • Author
Posted

Here's a snippet from viewebook.php (sorry about the pseudo-php, I'm doing this off the top of my head):

 

<?php
session_start();

if(license is valid) {

$_SESSION['ok_to_view'] = true;
header("Location: http://www.domain.com/eBooks/Default.php?lang=English");
exit;

} else {

header("Location: http://www.domain.com/eBooks/error");

}

?>

 

Here's the code from Default.php:

 

<?php
session_start();

if($_SESSION['ok_to_view'] != true) {
echo "Authentication Error";

} else {

(code for the eBook)

}

?>

 

I still don't have the error message on me, but is there anything that would cause an error here?

 

 

Link to comment
Share on other sites
GingerRobot Regular Member

GingerRobot

Posted
Posted

do I not need the session_start() in my second script then, even if I'm referring to a $_SESSION variable? I can't seem to find any reason that the code I posted wouldn't work.

 

How about because you've not posted the code you are using? Do you seriously expect us to find an error in your code if you post something you 'made up in your head'?

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.