Jump to content

Archived

This topic is now archived and is closed to further replies.

SommerNyte

Restricting hotlinking of pages

Recommended Posts

I hope I can explain this well enough to get some help.  :)

I want to check a page upon loading and make sure the referer is the same domain as what's in the DB.  If the referer matches the domain in the DB, then the page is displayed.  If there is not a match, then it will just display "Unauthorized Access" or something.

Here is the background...

I have a client web site that is a membership site.  We have created a page with informational videos, and members can create a link to this page to post on their own site.  Within the url of the link, the member's username is passed.  The code checks the username against the database and verifies that (1) they are a member and (2) they are a member with permission to use the video page.  As long as both checks pass, the page appears with the member's name, address and contact info on it.

That part is all fine and dandy.  However, someone COULD link to the page using another member's username in the URL, and it will work, it will just have someone else's contact info.  Well, the client wants to further restrict it so that the link can ONLY come from the member's domain, and no other domains.

My database contains the member's domain, so I was trying to use http_referer to check the referer against the web site stored in the DB, but I couldn't get it to work.  Then I read http_referer isn't reliable and shouldn't be used.  ???

Is there a way I can do this, then?  I realize .htaccess can be used, but because users are being added, removed and updating info, the .htaccess would always be changing and I don't know that it's possible for me to use PHP to automatically update the .htaccess every time a change is made to the DB?

Share this post


Link to post
Share on other sites
Ok server variable referer is very helpful.  it's not meant for what you are trying to do.
If you want the username already entered.  Pass the username itself over to a page, and request for a password.  pass the username with that page, and when they get to the processor check to make sure hte password matches there hashed and databased password.  If it does it redirects them to the page or page's they have access to in the database.  Better yet send them a  link to login and just let them login like normal people.  It jsut depend's but using referer for something like that is not very safe.

Share this post


Link to post
Share on other sites
I haven't described it right, or you haven't understood.  :)

Let's say my client is a membership organization for artists.  The artists in the organization want to sell their art to people, so they can link to a page that says why people should buy said art.  It includes their contact info on each page as long as they are an active member.

So it's a 3rd party accessing the page -- not the member themselves.  Therefore, we don't want to password protect it -- the 3rd party viewers wouldn't know the password.

Is that clearer? ???

Share this post


Link to post
Share on other sites
I'm not sure how CHMODing would help at all?

There are over 200 members.  Each member has a different web site they will be linking from.  So when the page mysite.com/page.php?user=bob loads, it needs to look up the user "bob", make sure he's an active member (it already does this part) then check Bob's domain (stored in the DB) and make sure that the link was accessed from that domain, and no other domain.  Therefore, Jim can't link to Bob's member page.

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.