Jump to content

Recommended Posts

Hello,

 

So I have a problem and I cannot think of a way around it. Basically, I use jQuery tabs and Ajax to load a file and include it. However, I don't want a user to be able to directly access the file which is included.

 

Example:

<ul>
            <li><a href="file1.php?id=<?php echo $_GET['id']; ?>">Link 1</a></li>
            <li><a href="file2.php">Link 2</a></li>
        </ul>

 

Let's called the main page index.php, so when a user goes to index.php they have tabs, Link 1 and Link 2, when they click Link 1, file.php is included in to a pre-defined div through Ajax.

 

I want the script to still be able to access the file, but I don't want visitors to be able to access it directly.

 

So I came up with this cunning idea:

 

index.php

session_start();
$_SESSION['IS_INCLUDED'] = true;

 

file1.php

session_start(); 
if($_SESSION['IS_INCLUDED'] == true) {
    echo 'Do stuff!';
    unset($_SESSION['IS_INCLUDED']);
} else {
    echo 'You cannot access this file directly.';
} 

 

This works perfecty, but not as required.

 

The problem is there is more than one tab, if they click Link 1, it works fine, if they click Link 2, it works fine because the SESSION isn't yet added, however, if they click back on to Link 1, they get the error.

 

This happens because the SESSION is unset, but without it being unset anyone could access the file directly if they've visited the page once.

 

Does anyone have any idea how I can get around this problem?

Link to comment
https://forums.phpfreaks.com/topic/267560-jqueryajax-stop-direct-access-of-files/
Share on other sites

You can't really. AJAX and a normal browser visit are more or less indistinguishable from each other. The most you can hope for is to make it harder but before you head down that path you really need to think about whether this is actually a problem you need to fix or not. What if someone sees the page without AJAX? It's not like they're seeing something they otherwise couldn't.

Then I'm afraid you're going about this the wrong way. First and foremost create your site so that it can be used perfectly without JavaScript enabled, then add the JS stuff to enhance the user experience. That way you are not throwing any artificial road blocks in front of your users, and you can now rely completely on the server-side of things to keep your process secured.

 

That's pretty much irrelevant, there's nothing the visitor will be able to do accessing them directly. I'd just prefer them not to be able to. So programming it all without JS would be stupid, especially since I'm using jQuery tabs to ENHANCE the users' experience.

Christian is 100% correct.

Evidently not, as I just stated, it's completely secure. I just don't want them accessing it directly as a personal preference.

 

Whether I program the tabs with jQuery, or program them stand-alone, they're still going to have access to the file. Thus, he isn't right, unless of course there was a security whole, which there isn't.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.