Page 1 of 1

making shure the user came from a specif page/session

Posted: Wed Aug 16, 2006 5:39 pm
by pedrotuga
i need to make shure that a script is not called directly and the user came from one specific other script.

whats the best way to do this?

i though about something like this:

in the first file:

Code: Select all

$_SESSION["testvalue"]=session_id()+1;
then on the script i need to be protected:

Code: Select all

if ($_SESSION["testvalue"]!=session_id()+1;){
  header(...);
  exit;
}
else{
...
}
but if the user visits the first page and then, goes away the variable stills be set... and then if it visits the second page after a while the values i want to fetch from $_POST might not be there anymore.

i think passing the value to check in a session variable is not the idea... any other solutions?

Posted: Wed Aug 16, 2006 5:47 pm
by feyd
There's no way to be 100% sure, but you can get reasonably close. I would insert a completely unique value into the form that's sending to this special page. Stick this unique value in the database or session. On the special page, compare them. They one isn't there or is wrong, they came from somewhere else. No matter what though, you should code this special page to handle this information not being there, by gracefully handling the page request in some fashion.

Posted: Wed Aug 16, 2006 5:58 pm
by pedrotuga
lets see.. a unique value...

so basically you mean somthing like the code i wrote above...

Posted: Wed Aug 16, 2006 6:15 pm
by feyd
pedrotuga wrote:lets see.. a unique value...

so basically you mean somthing like the code i wrote above...
Vaguely, yes. But it must be in the form you're submitting with too. The code above only references to a session variable.

Posted: Wed Aug 16, 2006 6:32 pm
by pedrotuga
i though about that...

i will use the following code... it looks pretty secure to me

...
<INPUT TYPE=HIDDEN NAME="postingID" value="<?php echo session_id(); ?>">
...

Posted: Wed Aug 16, 2006 6:42 pm
by feyd
I wouldn't use the session ID... generate a separate unique value. Why? because you want this value to be different each time the form is requested, not the same.