meltingpoint Posted April 14, 2011 Share Posted April 14, 2011 I have a php page that is linked to in a Joomla site in a Wrapper. I want to be able to block access to a php page unless it was called by a link in the main menu. I figured I could use $_SERVER['HTTP_REFERER'] to accomplish this like so: Link from Main Menu -> top_secret.php <?php //the following is placed in the header of top_secret.php web page $page1 = 'http://myweb.com/index.php?option=com_wrapper&view=wrapper&Itemid=201';//page that user must come from $menu_link = $_SERVER['HTTP_REFERER'];//page that user comes from if($page1 !== $menu_link) { header('Location: http://myweb.com/error_page.php'); } ?> Thus if some one tries to simply access the top_secret.php with out going through the joomla menu- they will be re-directed to an error page. My question to the guru's is- is this secure or can someone easily get to the top_secret.php without going through the menu. Keep in mind- that the menu the person must use is only accessible from a registered joomla user for that site. Hope that makes sense. Link to comment https://forums.phpfreaks.com/topic/233681-joomla-display-page-only-if-user-came-from-page2/ Share on other sites More sharing options...
ldb358 Posted April 14, 2011 Share Posted April 14, 2011 Yeah thats not secure its easy to spoof http headers, you would be better off setting a session on the first page and checking that it is set on the second page. Link to comment https://forums.phpfreaks.com/topic/233681-joomla-display-page-only-if-user-came-from-page2/#findComment-1201427 Share on other sites More sharing options...
meltingpoint Posted April 14, 2011 Author Share Posted April 14, 2011 The problem is that I cannot tie in the joomla session for the registered user as it is totally different from regular php sessions. The Joomla wrapper treats the page being wrapped as a completely separate page much like an Iframe. Creating a session variable in the page that gets wrapped doesn't work as it does not prevent the user from an initial direct access. For example- the page being called up in the Joomla wrapper via a menu is top_secret.php. I only want that page viewable if they access it via the menu. However- if they simply put top_secret.php at the end of the website - they will indeed have access to it. example: www.myweb.com/top_secret.php will itself initialize a session and is accessible Hope that makes sense. Also- how would they spoof the header if they don't know what it is to access that page? Link to comment https://forums.phpfreaks.com/topic/233681-joomla-display-page-only-if-user-came-from-page2/#findComment-1201431 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.