Jump to content


Photo

Security question


  • Please log in to reply
5 replies to this topic

#1 sjones

sjones
  • Members
  • PipPipPip
  • Advanced Member
  • 42 posts

Posted 31 July 2006 - 12:48 AM

I have a ecommerce site that has general products for everyone that visits. Also there is a wholesale client login. The script takes the user to a different category, with a seperate store for wholsale clients. Is it possible that when the wholesale category is opened, that we can make sure that it was the handle_login.php script that sent them there. If they have it bookmarked or opened from any other location besides the handle_login.php script. They would recieve a error message with the option to go to the login page.

#2 trq

trq
  • Staff Alumni
  • Advanced Member
  • 31,041 posts

Posted 31 July 2006 - 12:50 AM

take a look at $_SERVER['HTTP_REFERER'].

#3 .josh

.josh
  • Staff Alumni
  • .josh
  • 14,871 posts

Posted 31 July 2006 - 05:09 AM

also you should pass a token through a session variable to the page, that would be generated from handle_login.php and checked on your target script.
Did I help you? Feeling generous? Buy me lunch! 
Please, take the time and do some research and find out how much it would have cost you to get your help from a decent paid-for source. A "roll-of-the-dice" freelancer will charge you $5-$15/hr. A decent entry level freelancer will charge you around $15-30/hr. A professional will charge you anywhere from $50-$100/hr. An agency will charge anywhere from $100-$250/hr. Think about all this when soliciting for help here. Think about how much money you are making from the work you are asking for help on. No, we do not expect you to pay for the help given here, but donating a few bucks is a fraction of the cost of what you would have paid, shows your appreciation, helps motivate people to keep offering help without the pricetag, and helps make this a higher quality free-help community :)

#4 sjones

sjones
  • Members
  • PipPipPip
  • Advanced Member
  • 42 posts

Posted 31 July 2006 - 06:23 PM

The problem I am having with $_SERVER['HTTP_REFERER'] is that if someone would refresh the page it creates the error, because they were not directed there from the main page. Could someone help me with the proper code to check for two different $_SERVER['HTTP_REFERER']

example:
if ($_SERVER['HTTP_REFERER'] != "www.mysite.com/abc/" || "www.mysite.com/xyz/"){
echo "You have arrived here without loging in  Bla......" ;
exit;
}

Any Thoughts ?

#5 pixy

pixy
  • Members
  • PipPipPip
  • Advanced Member
  • 295 posts

Posted 31 July 2006 - 06:25 PM

Not all servers support $_SERVER['HTTP_REFERER']...either that or it has to do with the browser, which may choose not to send refering information.

This is a .44 Caliber Loveletter straight through my heart.

Tabulas + Threadless + Hire Me!


#6 wildteen88

wildteen88
  • Staff Alumni
  • Advanced Member
  • 10,482 posts
  • LocationUK, Bournemouth

Posted 31 July 2006 - 07:19 PM

Not all servers support $_SERVER['HTTP_REFERER']...either that or it has to do with the browser, which may choose not to send refering information.

Yeah its to do with the browser. Some browsers do some dont. Also it can be easily fooled too.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users