Security question

[sjones]

I have a ecommerce site that has general products for everyone that visits. Also there is a wholesale client login. The script takes the user to a different category, with a seperate store for wholsale clients. Is it possible that when the wholesale category is opened, that we can make sure that it was the handle_login.php script that sent them there. If they have it bookmarked or opened from any other location besides the handle_login.php script. They would recieve a error message with the option to go to the login page.

[trq]

take a look at $_SERVER['HTTP_REFERER'].

[.josh]

also you should pass a token through a session variable to the page, that would be generated from handle_login.php and checked on your target script.

[sjones]

The problem I am having with $_SERVER['HTTP_REFERER'] is that if someone would refresh the page it creates the error, because they were not directed there from the main page. Could someone help me with the proper code to check for two different $_SERVER['HTTP_REFERER']

example:
if ($_SERVER['HTTP_REFERER'] != "www.mysite.com/abc/" || "www.mysite.com/xyz/"){
echo "You have arrived here without loging in  Bla......" ;
exit;
}

Any Thoughts ?

[pixy]

Not all servers support $_SERVER['HTTP_REFERER']...either that or it has to do with the browser, which may choose not to send refering information.

[wildteen88]

[quote author=pixy link=topic=102382.msg406645#msg406645 date=1154370359]
Not all servers support $_SERVER['HTTP_REFERER']...either that or it has to do with the browser, which may choose not to send refering information.
[/quote]
Yeah its to do with the browser. Some browsers do some dont. Also it can be easily fooled too.