Disallowing direct url

[Prodigal Son]

Does anyone know how to disallow access to a page by a direct url, but allow an iframe src to be able to access the page? i.e. I try to load test.php and I won't be able to access the page, but if I load the page through an iframe, it will work fine.

[F1Fan]

I suggest adding something that looks at the $_SERVER['HTTP_REFERER'] variable. If that's not the page that has the iframe, kill the app. Otherwise let it run. Like this:

 

<?php
if ($_SERVER['HTTP_REFERER']!="pagewithiframe.php") die("This page cannot be loaded directly");
?>

[Prodigal Son]

I suggest adding something that looks at the $_SERVER['HTTP_REFERER'] variable. If that's not the page that has the iframe, kill the app. Otherwise let it run. Like this:

 

<?php
if ($_SERVER['HTTP_REFERER']!="pagewithiframe.php") die("This page cannot be loaded directly");
?>

Hmm, my pages are dynamic, so never know what the url can be. Should I do a strpos to check if my domain is in the HTTP_REFERER? Or maybe a better way?

[F1Fan]

That would be my next suggestion. You should be able to find something helpful with the $_SERVER variable.

 

http://us.php.net/manual/en/reserved.variables.server.php

[Prodigal Son]

Hmm, doesn't seem to be working. When I do a var_dump on the $_SERVER['HTTP_REFERER'] variable (on the iframe page) I get a null.

[F1Fan]

Hmm... Try it on just the $_SERVER variable, or try print_r($_SERVER); and see if there's anything of use to you.

[Zane]

you could set a $_SESSION variable for the page.  a simple true or false variable that is defined on the parent page..containing the iframe.

 

and then on the iframe you'll probably have to check, destroy, etc the session and what not to keep someone from loading that php file later on.