FRIHOST FORUMS SEARCH FAQ TOS BLOGS COMPETITIONS
You are invited to Log in or Register a free Frihost Account!


Check URL and then redirect





aningbo
I need a code to check if the user has come from a specified page else be sent there. The user must be sent to the page1 even if he types the URL in the address bar.

This is a working version but i feel this is not secured enough since i'm dealing with a payout system.

Page1.php
Code:

Welcome to page 1<br />
Go to<a href="http://localhost/page2.php">page 2</a>


Page2.php
Code:
<?
if($_SERVER['HTTP_REFERER'] == "http://localhost/page1.php")
    {
        // continue
    }
    else
    {
        header("Location: http://localhost/page1.php");
        exit;
    }
?>
WOW.. this is page 2


any suggestions or any other methods?
D'Artagnan
well, i can't see why it's not secure, if you can shed some light, or someone.
i don't think its possible for someone to hijack $_SERVER['HTTP_REFERER'] , never the less i never searched about it...

and since it's an exact match, you may want to use === ... but only if you want it to match EXACTLY what comes out of the HTTP_REFERER, including the case


i can only give you advice on code, do not use <? instead use <?php - will save you sometime if you ever have to deploy in a server that doesnt support the abreviated tag
aningbo
thank you. i didn't know about this "==="

so if the user comes from http://www.localhost/page1.php, r u saying that the user will be taken to the page1.php instead of page2.php?
sonam
aningbo is right, $_SERVER['HTTP_REFERER'] is not enough secure because some localhost allow to create different names for each localhost. In that case I can create fake http://his_site.com/page_1.php on my localhost with link to real http://his_site.com/page_2.php.

You can make $_SERVER['HTTP_REFERER'] more secure in combination with sessions (or some other algorithm). MD5 session id and check on page_2.php both is this MD5 session id same and is $_SERVER['HTTP_REFERER'] the same. I think this double check is enough secure.

Sonam
aningbo
exactly. that's the problem with the above code.

btw, would u be having some clean codes on sessions to go about with this?
jmraker
Since the referer url info comes from the client it's possible for them to alter it to pass the validation.

http://stackoverflow.com/questions/3104647/how-to-spoof-http-referer

I would have page1.php setup something in the $_SESSION and have page2.php check if it exists in the session

page1.php
Code:
<?php
session_start();
...
// only page1 sets this
$_SESSION['page1'] = true;
...
?>


page2.php
Code:
<?php
...
if($_SESSION['page1'] !== true)
  header("Location: http://localhost/page1.php") && exit();
...
?>
sonam
jmraker write simple code what is quite enough but I prefer little bit complicated way because on some shared hosting someone can find out sessions data. For this reason some changing variable and md5 is better way. Session id is good for this because is always new when user open browser and exist only few seconds after user close browser.

page1.php
Code:
<?php
session_start();
// only page1 sets this
$_SESSION['page1'] = md5(session_id());
?>


page2.php
Code:
<?php
session_start();
if($_SESSION['page1'] !== md5(session_id()))
  header("Location: http://localhost/page1.php");
  exit();
?>


By the way in that case $_SERVER['HTTP_REFERER'] is sufficient and I will not use it. The reason is quite simple. If you are use $_SERVER['HTTP_REFERER'] then user can get page2.php only from page1.php. But if you don't use $_SERVER['HTTP_REFERER'] then user will get redirect only first time and after can come to page2.php from page3.php, page4.php etc.

Sonam
medesignz
primative but another way is that I guess you could submit hidden data, to page 2, if page 2 has not the relevant data then it should be redirected to page 1... SIMPLES!
aningbo
@jmraker and sonam:

You guys are awesome. thank you so much. i'll implement this on my page after my exams next week. i hope i dont run into any major issue with the codes. really appreciate it.

@medesignz

ur idea seems interesting but that isn't it the same as using sessions shared by jmraker and sonam? could you share any codes if you have it as to how you would go about it?

thanx guys Smile
jmraker
sonam wrote:
jmraker write simple code what is quite enough but I prefer little bit complicated way because on some shared hosting someone can find out sessions data. For this reason some changing variable and md5 is better way. Session id is good for this because is always new when user open browser and exist only few seconds after user close browser.

In order for them to bypass a session check they'd have to have a program on the shared host that opens the session file and rewrites it, just seeing it's contents wouldn't help them much unless there's private user info there like address, or credit card info

The session files are have the session id in the filename and they could find their session id from the value in the PHPSESSID cookie. If they see "page1|s:32:"983369e404450dd3573de34dcd2b32d8"; they could guess by the length that it's a md5 hash and confirm it by taking the md5sum of the session id.

If you're concerned about such an attack a sneakier way to hide the true value of a number is to use base_convert()
http://us2.php.net/manual/en/function.base-convert.php
where if they see the string "1010" it could be converted to
10, 30, 68, 130, 222, 350, 520, 738, 1010, 1342, 1740, 2210, 2758, 3390, 4112, 4930, 5850, 6878, 8020, 9282, 10670, 12190, or 13848

Code:
$_SESSION['page1'] = base_convert(substr(session_id(), 1, 8), 36, 28);

where the length of the value in the session is 9 letters and still contains numbers and letters. The function probably won't convert the whole session_id correctly because the session_id can be too long to store as a float (it might be ok on 64-bit computers)
sonam
@jmraker
Everything what you wrote is true. I am just give an example. Of course if user come on page1.php (what is our intention) then he can find out md5 hash but he can't know is this md5 hash of session id or something else. He can try brute force but this is too many work for one redirection. On the end, maybe is the best solution to use md5 of some variable and some fixed password. In that case, how I am reading, brute force is impossible.

@aningbo
Thanks, we are here for help each other.

Sonam
D'Artagnan
so i could basically use curl to feed any header in any page, that opens up a whole new world to me !

and just yesterday i was telling my friend, "the most important thing to remember on security on a web application is never to trust what comes from the clientside"... and then i got fooled Razz!

loved this topic btw.


maybe its pertinent to share this article i read yesteraday
http://devzone.zend.com/article/1786
kacsababa
You don't even have to know any computer language and don't need any special hacking tool, firefox has extensions which can change http header data as the user likes.
sonam
kacsababa wrote:
You don't even have to know any computer language and don't need any special hacking tool, firefox has extensions which can change http header data as the user likes.


He, he, I didn't know that. I am using chrome and just some checking in FF. What is name of this extension? I would like to try some testings when I will have time.

Sonam
sonam
Quote:
maybe its pertinent to share this article i read yesteraday
http://devzone.zend.com/article/1786


This is quite interesting. Thanks, booked.

Sonam
medesignz
aningbo wrote:

@medesignz

ur idea seems interesting but that isn't it the same as using sessions shared by jmraker and sonam? could you share any codes if you have it as to how you would go about it?


Code:

<input type="hidden" name="secret" value="ilovesausages" />
kacsababa
sonam wrote:
He, he, I didn't know that. I am using chrome and just some checking in FF. What is name of this extension? I would like to try some testings when I will have time.
Modify Headers and/or Live HTTP Headers
sonam
medesignz wrote:
aningbo wrote:

@medesignz

ur idea seems interesting but that isn't it the same as using sessions shared by jmraker and sonam? could you share any codes if you have it as to how you would go about it?


Code:

<input type="hidden" name="secret" value="ilovesausages" />


This is not safe. Anyone can read html source and find out your sausages. Very Happy
By the way aningbo didn't ask for POST and form input.


@kacsababa
Thanks I will find it.

Sonam
medesignz
@sonam

I did warn ya it would be primitive.

in order to "hide the sausage" you could encode the message on the landing page using simple PHP language.
sonam
medesignz wrote:
@sonam

I did warn ya it would be primitive.

in order to "hide the sausage" you could encode the message on the landing page using simple PHP language.


1. First - Sorry! But one part of me is primitive for sure.
2. Second - I don't understand what do you mean with "encode the message with php"

Sonam
medesignz
sonam wrote:

2. Second - I don't understand what do you mean with "encode the message with php"


on the landing page, you could validate that "ilovesausages" was in the hidden input, but you can actually encode the 'ilovesausage' using md5, SHA-1 etc etc making what you are submitting to the landing page isn't what you see in the source code.
aningbo
So long, I hope all of you are still around!

My original method can't work because some users might from http://www.domain.com/page1.php

the methods posted by jmraker and sonam doesn't work either since i wanted the user to be redirected to page1.php if he/she comes from any other pages or types it out directly in the address bar. the situation here is that no matter what happens, the user is automatically redirected to page1.php and the sessions is created. now, he types it out again or pulls the browser back, it opens. This is a TOTAL nono.

any other solutions to check URl and redirect? m thinking of a form to send it out a data which should match with the form in page1.php as suggested by medesignz. Say, let a user type in a number in page1.php and then this should match it would the same form field in page2.php else get it redirected. the trouble is, where do i start?!

P.S: was busy with my exams and couldn't reply back.
medesignz
another way of doing it is to enclose a script all within the same page.

the only downside is that a user cannot use a back and forward type cookie crumb to go back on previous data
sonam
Quote:
the methods posted by jmraker and sonam doesn't work


Hmmmmmmmm, are you sure. I am pretty sure it is working. Only problem what I can see is session stay registered and you need to unset this session if you don't want to keep it for other pages or you want to use only ones. For me is little bit difficult to create right code if I don't know how you come from page1 to page2 (by form, by link or...)?


page1.php

Code:
<?php
session_start();
// only page1 sets this
$_SESSION['page1'] = md5(session_id());
?>


page2.php

Code:
<?php
session_start();
if($_SESSION['page1'] !== md5(session_id())) {
  header("Location: http://localhost/page1.php");
  exit();
} else {
  $_SESSION['page1'] ="";
 unset($_SESSION['page1']);
}
?>


page3 and rest

Code:
<?php
  session_start();
if($_SESSION['page1'] !== "") {
  $_SESSION['page1'] ="";
  unset($_SESSION['page1']);
}
?>


Sonam
aningbo
@Sonam, page1 contains a form. On successful submission of this form, it is redirected to page2. There's another form in page2 which is stored in another database.

Even using it once is not enough since someone who knows it would just open page1 and without submitting the form, he would open page2.

So using sessions seems to be out of the idea unless you got another awesome idea Smile

------

@medesignz, i thought of that possibility but the form is just too complex with users and point systems and everything. So, i dropped that idea as well.

------

I'm thinking of a way but i can't see any light in it which is, the form has many text fields and one of them is a name field which is entered by the user (not hidden) in page1. This name field is carried to the page2 and a script checks to see that the name field is intact in page2 as well. if it's blank, it redirects to page1.

is this even possible?
sonam
aningbo wrote:
@Sonam, page1 contains a form. On successful submission of this form, it is redirected to page2. There's another form in page2 which is stored in another database.

Even using it once is not enough since someone who knows it would just open page1 and without submitting the form, he would open page2.

So using sessions seems to be out of the idea unless you got another awesome idea Smile

------

@medesignz, i thought of that possibility but the form is just too complex with users and point systems and everything. So, i dropped that idea as well.

------

I'm thinking of a way but i can't see any light in it which is, the form has many text fields and one of them is a name field which is entered by the user (not hidden) in page1. This name field is carried to the page2 and a script checks to see that the name field is intact in page2 as well. if it's blank, it redirects to page1.

is this even possible?


This is reason why I am asking how users come on page2. If you using form in that case you are using post method, isn't it? You need to give name to all fields (or user) and check on second page.

For example fields: name, email, custom (set by user) and Submit (button)
on second page you need to check is it there all four submited.
Code:
$search = array("name", "email", "custom", "Submit");
foreach($_POST as $key => $val) {
if(array_search($key, $search) === FALSE) {
header("Location:page1.php");
exit;
}
if($val == "") {
header("Location:page1.php");
exit;
}
}


Before few years I am post this simple email script and you can use some parts for your needs Wink

http://www.frihost.com/users/sonam/blog/vp-83950.html

Sonam
aningbo
users on page2 are just redirected. in other words. page2 is like a thankyou page with another form.

yes i need something to check on only one of the fields in page1 form to be able to view page2 else it should be redirected to page1 or an error page.

P.S: i can't edit the process.php of the form in page1 though.
medesignz
aningbo wrote:
users on page2 are just redirected. in other words. page2 is like a thankyou page with another form.

yes i need something to check on only one of the fields in page1 form to be able to view page2 else it should be redirected to page1 or an error page.

P.S: i can't edit the process.php of the form in page1 though.


why can you not edit the process.php?
sonam
Quote:
P.S: i can't edit the process.php of the form in page1 though.


In that case you must write your process.php otherwise forget any suggested solution. Confused

Sonam
aningbo
i can edit the form and its process.php in page2 though. yeah that's the kinda issue m facing right now.
sonam
Now I am little bit confused. Confused How many files you have in game, two or three?

page1 -> page2 // two
page1 -> process.php -> page2 // three


Sonam
Aredon
D'Artagnan wrote:
well, i can't see why it's not secure, if you can shed some light, or someone.
i don't think its possible for someone to hijack $_SERVER['HTTP_REFERER'] , never the less i never searched about it...
That's definitely not true, it's possible for someone to append a script to the url prior to being refered. It's the same issue that arises with using $_SERVER['PHP_SELF'], because that variable, once thought to be safe since it's created server side, actually receives part of its data from the HTTP_REFERER variable. I've started removing php_self from my code because of this, and honestly I just found out a couple days ago. :/

Probably the best bet is to receive HTTP_REFERER, sanitize the URL, and store it in a $_SESSION variable.
ogah
D'Artagnan wrote:
well, i can't see why it's not secure, if you can shed some light, or someone.
i don't think its possible for someone to hijack $_SERVER['HTTP_REFERER'] , never the less i never searched about it...

and since it's an exact match, you may want to use === ... but only if you want it to match EXACTLY what comes out of the HTTP_REFERER, including the case


i can only give you advice on code, do not use <? instead use <?php - will save you sometime if you ever have to deploy in a server that doesnt support the abreviated tag

with proxomitron we can modify $_SERVER['HTTP_REFERER'] and other HTTP header
Aredon
ogah wrote:
D'Artagnan wrote:
well, i can't see why it's not secure, if you can shed some light, or someone.
i don't think its possible for someone to hijack $_SERVER['HTTP_REFERER'] , never the less i never searched about it...

and since it's an exact match, you may want to use === ... but only if you want it to match EXACTLY what comes out of the HTTP_REFERER, including the case


i can only give you advice on code, do not use <? instead use <?php - will save you sometime if you ever have to deploy in a server that doesnt support the abreviated tag

with proxomitron we can modify $_SERVER['HTTP_REFERER'] and other HTTP header
I kinda already said that 2 months ago, don't revive old threads just so you can have posts. Rolling Eyes
sonam
Aredon wrote:
ogah wrote:
D'Artagnan wrote:
well, i can't see why it's not secure, if you can shed some light, or someone.
i don't think its possible for someone to hijack $_SERVER['HTTP_REFERER'] , never the less i never searched about it...

and since it's an exact match, you may want to use === ... but only if you want it to match EXACTLY what comes out of the HTTP_REFERER, including the case


i can only give you advice on code, do not use <? instead use <?php - will save you sometime if you ever have to deploy in a server that doesnt support the abreviated tag

with proxomitron we can modify $_SERVER['HTTP_REFERER'] and other HTTP header
I kinda already said that 2 months ago, don't revive old threads just so you can have posts. Rolling Eyes


Absolutely right. Start again thread without any reason is not good Shame on you

Sonam
ogah
Aredon wrote:
ogah wrote:
D'Artagnan wrote:
well, i can't see why it's not secure, if you can shed some light, or someone.
i don't think its possible for someone to hijack $_SERVER['HTTP_REFERER'] , never the less i never searched about it...

and since it's an exact match, you may want to use === ... but only if you want it to match EXACTLY what comes out of the HTTP_REFERER, including the case


i can only give you advice on code, do not use <? instead use <?php - will save you sometime if you ever have to deploy in a server that doesnt support the abreviated tag

with proxomitron we can modify $_SERVER['HTTP_REFERER'] and other HTTP header
I kinda already said that 2 months ago, don't revive old threads just so you can have posts. Rolling Eyes

i think we can reply th threads as long as tread no closed
Aredon
Just because you can doesn't mean you should. It generally appears to be post farming, in any case we should get back on topic here if we plan to actually continue this thread Wink
ogah
sorry, im new here.
i do not intend to post farming and my posting still relevant with the posting before
Related topics
How to get your dynamic PHP website crawled better by se ?
PHP: Feedback form issues.. help =P
Forum
Resources are about to run out. What are we to do?..
drawn, inked and colored
Phoenix free PHP scripts
redirect(append_sid()); - need help !
thecrims!
Url Redirect Service Question
Are .name domains fake?
stuffonmycat.com - Very funny pictures =p
game website template
CMS with flash
Check strange file(or your computer) for viruses on-line
Reply to topic    Frihost Forum Index -> Scripting -> Php and MySQL

FRIHOST HOME | FAQ | TOS | ABOUT US | CONTACT US | SITE MAP
© 2005-2011 Frihost, forums powered by phpBB.