podarum Posted November 15, 2009 Share Posted November 15, 2009 I have a page that I only want it to be opened through a link (or redirect) from my other web page and not if someone types in theURL address.To be more specific, my Main.html has a link called form.php and I want that form to be availabe to the public only if they linked in from Main.html and not if they go and type http://www.blabla.com/form.php ... Thanks Link to comment Share on other sites More sharing options...
chibineku Posted November 15, 2009 Share Posted November 15, 2009 I just spent a while doing this for my checkout process - making sure users progress in the right order. I turned my links into styled form submit buttons and checked for the correct post name associated with the submit. It later occurred to me to simply set a session variable on page one of the checkout process and increment it each page, or set it to some unique value, and if that variable isn't set on the subsequent page, then I can be sure the user navigated directly to the page. My initial idea was a url-stored referrer variable but, obviously if it can be seen it can easiy be faked, so that one was out within about 20 seconds. Link to comment Share on other sites More sharing options...
podarum Posted November 15, 2009 Author Share Posted November 15, 2009 So what did you do ???You see my problem is that I offer an online service (through a from) to 1) paid customers and 2) to members for free .. I want the free members to be able through an id/password to see the page... but I have to make that site not able to be accessed through simply typing the URL ... only if they passed the cridentials from and linked in. The paid members go to another page (linked in)...these guys are not a problem per say.Would you know how I can combat this issue? Link to comment Share on other sites More sharing options...
chibineku Posted November 15, 2009 Share Posted November 15, 2009 The easiest way to disallow access to a page that requires a form submit beforehand is:if(!$_POST) {header("Location: wherever.html");exit;}That way if no form was submitted through the post method on the previous page, the user won't be able to see the page. However, that means you have to have your login script at the top of the page. The easier way is to simply log someone in once and for all and save their username/id in a session/cookie (or both) and check for it before showing any restricted pages. That way you merely have to test for the presence of these at the top of any restricted pages:if(!$_SESSION["id"]) {redirect} Link to comment Share on other sites More sharing options...
podarum Posted November 15, 2009 Author Share Posted November 15, 2009 What is the $_SESSION["id"] I would use? isn't it dynamic on every session? Link to comment Share on other sites More sharing options...
chibineku Posted November 15, 2009 Share Posted November 15, 2009 You can write your own variables to the session. $_SESSION["id"] on my site refers to the users unique id, which is set by an auto_incremented field in my MySQL table. When a user logs in, I set this value to $_SESSION["id"] and use that as my primary means of tracking the user as they use the site (it is the foreign key in my other tables). In your case, if different content is to be shown to paying and non-paying members, storing a value which reflects their membership level in the session, along with their userid, would be a good way of recognizing them in any scripts you need, and checking which content they get to see. It is also possible to configure your server to restrict certain pages and demand a password before it will load them, but the setup is more complex, I think. So, when someone hits submit on the login form, you select the record in your members table with the username and password entered. If there's a match, set the session variables, which is the same as setting any other: $login_sql = "SELECT * FROM members WHERE username = '".mysqli_real_escape_string($con, $_POST["username"])."' AND password = PASSWORD('".mysqli_real_escape_string($con, $_POST["password"])."')";$login_res = mysqli_query($con, $login_sql) or die(mysqli_error($con));if(mysqli_num_rows($login_res) == 0) {//incorrect info - deal with it somehow} else if(mysqli_num_rows($login_res) == 1) {$info = mysqli_fetch_array($login_res);$_SESSION["id"] = $info["id"];$_SESSION["level"] = $info["level"];//redirect or whatever} You can also set a referrer variable in the POST array or in the query string so you can redirect the user where they were going before you made them sign in, to make things a little sleeker. Link to comment Share on other sites More sharing options...
podarum Posted November 16, 2009 Author Share Posted November 16, 2009 Awsome info... Thanks a lot, very useful...The only question I have now is, if I pass a SESSION["username"] and SESSION ["password"] to my successful page, and verify that the customer can only see the page if the credentials match and get approved, how would I deal if someone just simply typed in that URL (something like if SESSION ["password"] doesn't match, then redirect or disallow to be be viewed...In other words if a customer comes to my site, he can either press link A and get form A and then pay to use it.. or option 2 is to go to the login box on the same page type their username and password, and if they match my database of users/passwords in mysql then they could proceed to form B which is free... that's cool and everything, but I can't have the customer know that they can simply type in the URL to form B and just get the free service without needing a username/password... Sort of like if they didn;t come through the Main page through SESSIONS, then the page just doesn't show up..... Link to comment Share on other sites More sharing options...
chibineku Posted November 16, 2009 Share Posted November 16, 2009 Don't set the password to the session, for a start. You only need that once to verify they are who they say they are, then the mere presence of a valid $_SESSION["username"] or ["id"] is enough.Again, check for the presence of $_SESSION["username"] or ["id"]. If it isn't set, they didn't sign in. Like I said before, I also styled some form submit buttons to look like links, and on the target page checked for the correct post variable:page one: <form method="post" action="secure_page.php"><input type="submit" style="border: none; text-decoration: underline; background: transparent;" name="referrer" value="go to secure area" /></form> You may require more styling and should use a fieldset, etc. etc.secure_page.php:... if(!$_POST["referrer"] || $_POST["referrer"] != 'go to secure area') {//came directly by typing URL - redirectheader("Location: ######.html");exit;}if(!$_SESSION["id"]) {//not registered - redirectheader("Location: ######.html");exit;} You can combine these into one statement, obviously. Link to comment Share on other sites More sharing options...
podarum Posted November 16, 2009 Author Share Posted November 16, 2009 Hey chibineku,Thanks again, but I tried what you said and it didn't work.. I wonder if it's the names I'm assigning or maybe I'm forgetting something..(site name is www.risksolutions.ca)In my main page (index.php) I have: <?php// *** Validate request to login to this site.if (!isset($_SESSION)) { session_start();}$loginFormAction = $_SERVER['PHP_SELF'];if (isset($_GET['accesscheck'])) { $_SESSION['PrevUrl'] = $_GET['accesscheck'];}if (isset($_POST['username'])) { $loginUsername=$_POST['username']; $password=$_POST['password']; $MM_fldUserAuthorization = ""; $MM_redirectLoginSuccess = "ProfileForm2.php"; $MM_redirectLoginFailed = "popup.html"; $MM_redirecttoReferrer = true; mysql_select_db($database_home, $home); $LoginRS__query=sprintf("SELECT username, password FROM RSUsers WHERE username=%s AND password=%s", GetSQLValueString($loginUsername, "text"), GetSQLValueString($password, "text")); $LoginRS = mysql_query($LoginRS__query, $home) or die(mysql_error()); $loginFoundUser = mysql_num_rows($LoginRS); if ($loginFoundUser) { $loginStrGroup = ""; //declare two session variables and assign them $_SESSION['MM_Username'] = $loginUsername; $_SESSION['MM_UserGroup'] = $loginStrGroup; if (isset($_SESSION['PrevUrl']) && true) { $MM_redirectLoginSuccess = $_SESSION['PrevUrl']; } header("Location: " . $MM_redirectLoginSuccess ); } else { header("Location: ". $MM_redirectLoginFailed ); }}?><div id="LoginBox"><form name="form1" method="POST" action="<?php echo $loginFormAction; ?>"><table width="230" border="0" cellspacing="0" cellpadding="2"><tr><td width="58" height="22">Username:</td><td width="164"><input name="username" type="text" id="username" size="10"></td></tr><tr> <td width="58" height="33"> Password:</td> <td><input name="password" type="password" id="password" size="10"> <input type="submit" name="Submit" value="Submit" /></td></tr></table></form> and then in the ProfileFrom2.php (which is my secure data), I've inserted: <?phpsession_start ();if(!$_POST["form1"] || $_POST["form1"] != 'Submit') {//came directly by typing URL - redirectheader("Location: index.php");exit;//}if(!$_SESSION["username"]) {//not registered - redirectheader("Location: ProfileForm2.php");exit;}?> Any ideas? Thanks in advance.. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.