Determining referring page, changing page if referrer different than expected

@James_L_Sep 22.2006

Hey all,

php newbie here.

I have made up a little php password protection for a website I am playing with. This works fine (takes a form submission, checks it against an array of registered users and their passwords, sets the location header to the password protected page if the user has entered valid information).

What I am trying to do now is to set a script so when the password protected page first loads, it checks to see what the referring page was. If it is not the login page, the script should reset the location to the login page.

This is to prevent someone from just entering the url of the password protected page into the address bar, and bypassing the login page completely.

I have tried checking the @$HTTP_REFERER variable with an if statement, and if this variable contains something other than the login page url, to reset the location header to the login page.

The logic seems sound, but I am missing something in the coding I think.

Or, maybe there is a better way?

Thanks in advance for any help you can provide.

Cheers,

James

to post a comment

PHP

16 Comments(s) _↴

@PineSolPirateSep 22.2006 — #I personally prefer the usage of a session variable. Let your login page set a session variable, then just throw in a header on any page you want to protect.

[code=php]<?php 
 // Your possible "authHeader.php" file
 session_start();
 if("GoodUser" != $_SESSION['AUTH_VAR'])
 {
 header("Location: login.phpnn");
 }
 ?>[/code]

Then in your login page set $_SESSION['AUTH_VAR'] = "GoodUser" if they authenticate correctly.

@bokehSep 22.2006 — #I personally prefer the usage of a session variable. Let your login page set a session variable, then just throw in a header on any page you want to protect.

[code=php]<?php 
 // Your possible "authHeader.php" file
 session_start();
 if("GoodUser" != $_SESSION['AUTH_VAR'])
 {
 header("Location: login.phpnn");
 }
 ?>[/code]

Then in your login page set $_SESSION['AUTH_VAR'] = "GoodUser" if they authenticate correctly.[/QUOTE]So what is that supposed to prove?

@PineSolPirateSep 23.2006 — #Well, it's not like the user can set the session variable. If you set it you can use it as basic authentication, unless I missed something huge here. I suppose you could just put something else in there and use "isset()" or "empty()" or something. I don't understand what needs proving...

@bokehSep 23.2006 — #I missed something huge here.[/QUOTE]I don't see the point. Just because someone has visited your form in the last at some point in the last [I]n[/I] minutes you will let them log in. I don't see that as a security feature. It doesn't stop anyone using there own form and seems to be written by someone that believes hackers use web browsers to do their deeds.

@PineSolPirateSep 23.2006 — #Okay, I get it, I've been mis-understood. Here's a "full" example.

[code=php]<?php
 // login.php
 // This doesn't use a db or anything, just hard-coded user/pass
 session_start();
 if($_POST['user'] == "jpublic" && $_POST['pass'] == 'password')
 {
 $_SESSION['AUTH_VAR'] = "GoodUser";
 header("Location: index.phpnn");
 }
 else
 {
 print "<form action='login.php' method='POST'>
 <input type='text' name='user' /><br/>
 <input type='hidden' name='pass' /><br/>
 <input type='submit' value='Login' /></form>";
 }
 ?>[/code]

[code=php]<?php
 // index.php
 session_start();
 if("GoodUser" != $_SESSION['AUTH_VAR'])
 {
 header("Location: login.phpnn");
 }
 else
 {
 print "Oh look, you logged in.";
 }
 ?>[/code]

Now pardon the lack of any niceties, it's just an example.

Does it make more sense now? Or do you want to toss out some more stupid comments about how it "seems to be written by someone that believes hackers use web browsers to do their deeds."

Which, by the way, has no bearing on the subject. And I'm well aware that that's not how 'hackers' do most of their 'deeds' (Unless xss, sql injection, etc count). You can never trust your end users, because they can send in any crap they want from their browser, you don't even need to write a form for it, just get firefox and [url=https://addons.mozilla.org/firefox/966/]Tamper Data[/url]

Please let me know if I've missed something and malicious users can now somehow set any session variable they feel like (and session hijacking doesn't count.)

@bokehSep 23.2006 — #do you want to toss out some more stupid comments[/QUOTE]I can't any connection between your code and the original poster's question.

@PineSolPirateSep 23.2006 — #It's a better form of protection. As I read the original post, the second page doesn't do any verification, that's what he was trying to add with checking the referrer.

What I am trying to do now is to set a script so when the password protected page first loads, it checks to see what the referring page was. If it is not the login page, the script should reset the location to the login page.[/quote]

Also in the post is Or, maybe there is a better way?[/quote] I was trying to provide a better way.

@bokehSep 24.2006 — #All he wanted to do was check that the request came from his login form (which is not accurately possible). They are already are logging in anyway so this doesn't seem to be adding anything to the process.

@James_L_authorSep 24.2006 — #Thanks to those those who have helped so far.

So, there is no way of placing php code at the beginning of a web page, that checks the referrer, and if it is not a specific page that the user was just on, it boots the user to that page?

i.e. Did you come from the login page? If not, you are sent straight there.

Cheers,

James

p.s. bokeh, you seem to know what you are talking about. Perhaps rather than simply disagreeing with someone who is trying to help you could offer your own solution? I would be happy to see it.

@felgallSep 25.2006 — #referrer is a free format field that is set to blanks by the security built into a lot of browsers and firewalls. If your visitor doesn't want web pages to know which page they just came from they will have the field disabled. If you want to make sure that they came from a specific page then you should either set a session variable on that page to test for or post something between the pages so as to ensure that you actually pass something between the pages that confirms where they came from. As long as they can't see what field you are creating there is no way for them to fake it.

@NogDogSep 25.2006 — #At the start of each page that needs to track or be tracked as a referer:

[code=php]
 session_start();
 $referer = (isset($_SESSION['referer'])) ? $_SESSION['referer'] : NULL;
 $_SESSION['referer'] = $_SERVER['PHP_SELF'];
 // then if this page requires that it be accessed from a specific page:
 if($referer == "/login.php")
 {
 // we're good
 }
 else
 {
 // not allowed
 }
 [/code]

Note: this will not prevent a user from doing the following: (1) access login.php, (2) go to some other page on another site, (3) go directly to a page that wants login.php as its referer; but it can enforce a specific sequence in which the user can access pages on your site.

@bokehSep 25.2006 — #Note: this will not prevent a user from doing the following[/QUOTE]Note also: as with all of the above examples, it will not prevent a hacker from using their own form which would be the most likely form of attack.

@James_L_authorSep 25.2006 — #Note also: as with all of the above examples, it will not prevent a hacker from using their own form which would be the most likely form of attack.[/QUOTE]

bokeh,

Every post you have made on this thread has provided a reason why another poster's solution might not work.

While I appreciate this, wouldn't it just be easier to provide your solution that would work?

Cheers,

James

@PineSolPirateSep 25.2006 — #I think it boils down to this:

You can't check for the referrer. (felgal, #11)

You can check that they've authenticated on the login page sometime in this browser session. (Mine, #2 & #6)

You can check that they just came from that login page using sessions. (Nogdog, #12)

bokeh is annoyingly un helpful (bokeh, All)

I hope that you can use this stuff, but I am done with this thread ?

P.S. bokeh, again, on Noddog's code, how is writing your own form going to change session variables? I'm missing that.

You know what, don't answer that. I don't care.

@James_L_authorSep 26.2006 — #Thanks to everyone who took the time to help me out!

Cheers,

James

@bokehSep 26.2006 — #bokeh,

Every post you have made on this thread has provided a reason why another poster's solution might not work.

While I appreciate this, wouldn't it just be easier to provide your solution that would work?[/QUOTE]No solution has been posted in this thread which does what the original post asked. The reason for this is that no such solution exists. The code that has been posted above does one thing and one thing only: it leads the missguided user into believing that their site has an elevated level of security when in fact no added security whatsoever is really being provided. To add security you need to use conclusive code that works 100%, 100% of the time, anything else is merely obsurity.

If you want to add security concentrate on bolstering the validation of the data gathered by your login script rather than wasting time on the quest of the requesting page which is a pointless distraction.

bokeh is annoyingly un helpful (bokeh, All)[/QUOTE]Is this the best counter argument you can come up with to defend your insecure solution.

Also in #PHP _↴

Mouse cursor in constant "Hover" state on website.SQL Editing In Php [LONG POST] My triumphant* return to web development

Success!

Help @James_L_ spread the word by sharing this article on Twitter...

Tweet This

Determining referring page, changing page if referrer different than expected

16 Comments(s) _↴

Also in #PHP _↴

Success!

Social

Version

Determining referring page, changing page if referrer different than expected

16 Comments(s) ↴

Also in #PHP ↴

Success!

The web is an endless sea of information. Don't miss the boat... Subscribe!

Social

Version

16 Comments(s) _↴

Also in #PHP _↴