Jump to content

Joomla- display page only if user came from page2.

meltingpoint

By meltingpoint
in PHP Coding Help

 Share

Recommended Posts

meltingpoint Member

meltingpoint

Posted
Posted

I have a php page that is linked to in a Joomla site in a Wrapper.  I want to be able to block access to a php page unless it was called by

a link in the main menu.  I figured I could use $_SERVER['HTTP_REFERER'] to accomplish this like so:

 

Link from Main Menu -> top_secret.php

 

<?php
//the following is placed in the header of top_secret.php web page

$page1 = 'http://myweb.com/index.php?option=com_wrapper&view=wrapper&Itemid=201';//page that user must come from

$menu_link = $_SERVER['HTTP_REFERER'];//page that user comes from

if($page1 !== $menu_link)
{
header('Location: http://myweb.com/error_page.php');
}
?>

 

Thus if some one tries to simply access the top_secret.php with out going through the joomla menu- they will be re-directed to an error page.

 

My question to the guru's is- is this secure or can someone easily get to the top_secret.php without going through the menu.  Keep in mind- that the menu the person must use is only accessible from a registered joomla user for that site.

 

Hope that makes sense.

Link to comment
Share on other sites
meltingpoint Member

meltingpoint

Posted
  • Author
Posted

The problem is that I cannot tie in the joomla session for the registered user as it is totally different from regular php sessions. 

 

The Joomla wrapper treats the page being wrapped as a completely separate page much like an Iframe.  Creating a session variable

in the page that gets wrapped doesn't work as it does not prevent the user from an initial direct access.  For example- the page being called up in the Joomla wrapper via a menu is top_secret.php.  I only want that page viewable if they access it via the menu.  However- if they simply put top_secret.php at the end of the website - they will indeed have access to it.

 

example:  www.myweb.com/top_secret.php will itself initialize a session and is accessible

 

Hope that makes sense.  Also- how would they spoof the header if they don't know what it is to access that page?

 

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.