making shure the user came from a specif page/session

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
pedrotuga
Forum Contributor
Posts: 249
Joined: Tue Dec 13, 2005 11:08 pm

making shure the user came from a specif page/session

Post by pedrotuga »

i need to make shure that a script is not called directly and the user came from one specific other script.

whats the best way to do this?

i though about something like this:

in the first file:

Code: Select all

$_SESSION["testvalue"]=session_id()+1;
then on the script i need to be protected:

Code: Select all

if ($_SESSION["testvalue"]!=session_id()+1;){
  header(...);
  exit;
}
else{
...
}
but if the user visits the first page and then, goes away the variable stills be set... and then if it visits the second page after a while the values i want to fetch from $_POST might not be there anymore.

i think passing the value to check in a session variable is not the idea... any other solutions?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

There's no way to be 100% sure, but you can get reasonably close. I would insert a completely unique value into the form that's sending to this special page. Stick this unique value in the database or session. On the special page, compare them. They one isn't there or is wrong, they came from somewhere else. No matter what though, you should code this special page to handle this information not being there, by gracefully handling the page request in some fashion.
User avatar
pedrotuga
Forum Contributor
Posts: 249
Joined: Tue Dec 13, 2005 11:08 pm

Post by pedrotuga »

lets see.. a unique value...

so basically you mean somthing like the code i wrote above...
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

pedrotuga wrote:lets see.. a unique value...

so basically you mean somthing like the code i wrote above...
Vaguely, yes. But it must be in the form you're submitting with too. The code above only references to a session variable.
User avatar
pedrotuga
Forum Contributor
Posts: 249
Joined: Tue Dec 13, 2005 11:08 pm

Post by pedrotuga »

i though about that...

i will use the following code... it looks pretty secure to me

...
<INPUT TYPE=HIDDEN NAME="postingID" value="<?php echo session_id(); ?>">
...
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

I wouldn't use the session ID... generate a separate unique value. Why? because you want this value to be different each time the form is requested, not the same.
Post Reply