OriginalMacBabe Posted May 21, 2007 Share Posted May 21, 2007 Sorry, but I've gone blind from trying to find the answer to what I know is a simple question. ??? I want all visitors to my site to have to agree to enter from a front screening page by clicking a specific link (akin to how we agree to the terms of use for a forum.) I want to assign a value=true to a constant when this is done. I will then put a query at the top of every other page in the site to see if this variable is set. If it is I want the page to continue to load. If not, I will redirect them to the screening page. I found the redirect <?php header ('Location: http://mysite.com/screening-page.php'); ?> and I can use the isset function. How do I set the constant? Thank you OMB Quote Link to comment Share on other sites More sharing options...
Wuhtzu Posted May 21, 2007 Share Posted May 21, 2007 I was doing the exact same thing a year ago and it was impossible to find a solution anywhere, but eventually I got something which "worked". Since the following: http://mysite.com/screening-page.php?agreed=true would be amusingly easy to bypass this isn't the solution. Some may say JavaScript, but it's client side and can easily be turned off. So I decided to use a <form>: <?PHP session_start(); if(isset($_POST['agree'])){ $_SESSION['haveagreed'] = true; header("Location: mypage.php"); exit; } else { ?> <form action="screening-page.php" method="post"> <input type="submit" name="agree" value="I agree, let me through to the site"> </form> <?PHP } ?> This will kind of work, but if someone wants to enter your site without clicking the actual button he can just do this: <form action="http://yoursite.com/screening-page.php" method="post"> <input type="submit" name="agree" value="I'm h4x0r"> </form> Then your screening page will see that $_POST['agree'] is set and therefore set $_SESSION['haveagreed'] = true. So to make work 100% you have to find a way to establish if th user actually click _your_ button (came from your screening page). This could be done with $_SERVER['HTTP_REFERER'] which holds the address/url of the page which send you / referred you to where you are now. But since the http referer header is set by the user agent (browser) it can be manipulated or not set at all. Back when I did this I thought I solved the problem by adding some random numbers to a hidden field and check if those where set ect., but I just realized that the method doesn't work If I come up with something more than "just to use a form" I'll let you know Quote Link to comment Share on other sites More sharing options...
OriginalMacBabe Posted May 21, 2007 Author Share Posted May 21, 2007 Ok, no wonder I was having trouble finding it then, I really thought I was losing it. Why is it that things that seem so logically simple often turn out to be "impossible"? I am not so concerned about people bypassing the system ... if someone wants to look at my pages that badly, they can. I would, however, like to make sure that they have at least seen the screening page. Even if they don't actually click the "agree" button, at least I know that they have seen it, so any attempt they make to circumvent the system and still enter will be the equivalent of having clicked the "accept" button ~ this is an issue of informed consent; it would be hard to argue that they didn't know where they were going if they went to the trouble of deliberately foiling the system. I'm sure there will be some shmo whose life is filled with the joy of hacking through others' intentions, but I honestly believe that most people would rather just click the button than go to the trouble of circumventing the process. I'll give what you suggest a try ~ I think I understand it. I hadn't thought of using session information. Is there a way to just check if the screen page has been loaded in a session? If so, this will suffice. Then I could just check to see if that variable is true or if the refere page is some other page in the site, either of which will be sufficient to have the next desired page load?? Thank you OMB Quote Link to comment Share on other sites More sharing options...
AndyB Posted May 21, 2007 Share Posted May 21, 2007 How about on every page you check that a particular session value is true: <?php session_start(); if ($_SESSION['agreed']!="yes") { header('Location: index.php'); } ... rest of every page On the opening page, set a session variable and have the 'agree' form. Process the form to check for both 'yes, I agree' AND the session variable you set on the opening page. That prevents someone just copying the html form as a way in. If your session var is set AND 'yes, I agree' is true then set $_SESSION['agreed'] to "yes". Quote Link to comment Share on other sites More sharing options...
Wuhtzu Posted May 21, 2007 Share Posted May 21, 2007 You almost have to use session in order to verify that the user have done something, e.g. logged in or clicked "I agree", each time he/she/it changes page. Do something like the following: screening-page.php: <?PHP session_start(); if( something ) { $_SESSION['agreed'] = true; } else { ......... ?> anyotherpage.php: <?PHP start_session(); if($_SESSION['agreed' != true){ do something when the user haven't agreed } else{ show the page } ?> That's pretty much a simple login system... set a session variable on some condition (e.g. a successful login or click on a button) and then check if that session variable have a certain value on other pages A feature which you could add to your system is the ability to remember what page the user requested. A user/visitor could click a link somewhere http://yoursite.com/somepage.php?id=2 but since he/she haven't view the screening-page, haven't agreed and haven't got the session variable set, he/she will be redirected to screening-page.php and then he/she has to navigate back to the link he/she clicked... annoying. <?PHP session_start(); $_SESSION['REQUEST_URI'] = $_SERVER['REQUEST_URI']; ?> The above code should be used on top of every page you have. It will remember the URI/URL the user requested and then in case he/she is later redirected to the screening-page.php you will have that URI/URL stored in a session ready to use when he/she is redirected back to the page: screening-page.php <?PHP session_start(); if(isset($_POST['agree'])){ $_SESSION['haveagreed'] = true; if(isset($_SESSION['REQUEST_URI'])){ header("Location: " . $_SESSION['REQUEST_URI']); exit; } else{ header("Location: index.php"); exit; } } else { view the agreement... Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.