Allow access to a URL by redirect only

Asked

Viewed 319 times

0

Well... This may sound strange, but I need to block direct access to a url within my server, releasing it only when the user is redirected from another specific page.

That would be the scheme I’m trying to imagine:

The user accesses this page: meusite.com/home.php? id=xxxxxxx This page will have a DOWNLOAD button, and when clicking on it the user will be taken to: meusite.com/dl.php? id=xxxxxxx

So, I just want it to have access to */dl.php if it’s through */home.php Is there any way to do that?

  • with pure php or some framework? what you already have ready?

  • Pure PHP, the server only accepts pure php. I only have the pages anyway, I already researched about it here and in the EN community, but I found nothing. So I have nothing.

  • take a look here, is a tutorial on how to make a basic php routing system

  • Right. I’ll review and return with feedback.

  • Generates and sends a hash by url and in endpoint you valid this hash. After a while you invalid the hash so it can no longer be accessed directly. Better than that you can use a json web token (generates a token that will be valid for a time determiando).

2 answers

0

If it’s just programming, you can use something with the "global variable" $_SESSION. With the exception of the page that gives permission, put in the others a command similar to this:

$_SESSION['permitir_download'] = 0;

And when it’s the page that has the permission:

$_SESSION['permitir_download'] = 1;

On the download page, do something like this:

if ($_SESSION['permitir_download']):
//...Download
     $_SESSION['permitir_download'] = 0;
else:
//...Sem permissão 
     $_SESSION['permitir_download'] = 0;
     die();
endif;

I think it might help.

Hugs.

-2

A very elegant solution is to check the $_SERVER['HTTP_REFERER']. Whenever a PHP page is loaded by a GET or POST call, it loads this data with the source address. So you can create a behavior to respond to $_SERVER['HTTP_REFERER'], according to your needs.

  • 2

    That one at all times it’s not true. It’s common browsers fill this header, but it is not required; and it is worth remembering that a request can be made from other sources, that the request is written manually, and can set the header value as expected, even if it has not been redirected. It may be a solution, but it’s completely unreliable.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.