Jump to content

Archived

This topic is now archived and is closed to further replies.

jimuaw2400

Secure Registration Form Page

Recommended Posts

I'm sort of new to PHP. I can install scripts and minor PHP debugging.
But I just seem to be having a tough time figuring out how to keep my
registration form page from being passed around.

After someone pays for access to a member area and they are sent to
the registration page, what code can I put on the php registration page
to keep them from bookmarking it or using the URL again. I though maybe
using token and/or valid referrers but I'm lost on how to do it.

I found some php code but I'm not sure if it is valid for my need. It is
just partial. I'm not sure how to call it or use it.

----------------------

<?php
header("Cache-Control: no-cache, must-revalidate");
header("Pragma: no-cache");
header("Expires: Mon,26 Jul 1997 05:00:00 GMT");
/* turn off error reporting */
error_reporting(0);
/* valid referrers */
/*$referers = array ('domain.com');*/
/* verify that the script is being called from a valid referrer */
function check_referer($referers) {
if (count($referers)) {
$found = false;
$temp = explode("/",getenv("HTTP_REFERER"));
$referer = $temp[2];

for ($x=0; $x < count($referers); $x++) {

if (eregi ($referers[$x], $referer)) {
$found = true;
}

}

if (!getenv("HTTP_REFERER"))
$found = false;

if (!$found){
error_log("[index.php] Illegal Referer. (".getenv("HTTP_REFERER").")", 0);
header ("Location: [a href=\"http://www.mymaker.com/Illegal_Referrer");\" target=\"_blank\"]http://www.mymaker.com/Illegal_Referrer");[/a] /* /Illegal_Referrer */
echo 'You are coming from an unauthorized domain.';
}

return $found;

} else {
echo 'You are coming from here.';
return true;
}
}
?>

---------------------------

Any help would be appreciated.

Thanks,

Jim

Share this post


Link to post
Share on other sites
The first thing I've noticed was the HTTP_REFERER. Never rely on this variable. It is easily changeable and some browsers, firewalls, proxies and alikes will not send it. This will cause hassle to legit users and still leave your script vulnerable.

Now, to the tokens. You must generate tokens and store them in some database. Then, once the script is executed see if the token is valid. After the execution, delete the token.

Share this post


Link to post
Share on other sites
Any ideas for a script I can use or where I can find one?

I'd really like to find a solution to this problem.

Thanks for all the help on this forum.

Jim

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.