I don’t know if this is possible in PHP or not, but is there a way to detect if a link has been clicked? In my member area, I need there to be a way to change a security token’s value if the user visits a different page of the member area.
@MindzaiDec 08.2008 — #The only way PHP can be aware that a link is clicked if the link is to a php script. If you have a header php file you could place some login in there to update the token.
@Joseph_WitchardauthorDec 09.2008 — #When you say PHP script, does that many any page with the .php extension? Can it be a page that contains PHP code, but doesn't do much with it as far as significance goes? In other words, something like:
@NogDogDec 09.2008 — #You can look at the $_SERVER['HTTP_REFERER'] value to see what, if any, URL the browser claims to have accessed your page from, but it is not a required HTTP header, may not be sent do to privacy settings or proxy settings, and can be easily spoofed. Therefore it can be used as a guide to what your processing does, but should never be depended upon for anything at all critical.
@NogDogDec 09.2008 — #No, it would be something like:
page_one.php: [code=php] <a href="page_two.php">Go to page two</a> [/code] page_two.php: [code=php] if(!empty($_SERVER['HTTP_REFERER']) and stripos($_SERVER['HTTP_REFERER'], 'yourdomain.com/page_one.php') !== false) { echo "I'm pretty sure you got here from page one."; } [/code] But again, this is only useful as a general information sort of thing that does not have to be 100% correct. If you need something more dependable, then you are probably looking at something using sessions, such as:
page_one.php: [code=php] <?php session_start(); $_SESSION['token'] = uniqid('',true); ?> <a href="page_two.php?id=<?php echo $_SESSION['token']; ?>">Go to page 2</a> [/code] page_two.php: [code=php] <?php session_start(); if(isset($_GET['id']) and isset($_SESSION['token']) and $_GET['id'] == $_SESSION['token']) { echo "I'm even more sure you got here from page one."; } [/code]
@Joseph_WitchardauthorDec 09.2008 — #Well the reason I was asking is because my book acted like you should generate a new token every time an important action takes place. My plan was to generate a new token if PHP was certain the user had gotten there from that page. Not a good idea?
Also, just so I'll know for reference purposes if it's not a good idea, does that superglobal work with https?
@MindzaiDec 09.2008 — #If by token you mean session id, there's really no need to regenerate an id every time a user changes page. I tend to do it after 'important' actions, such as logging in/out etc.
@MindzaiDec 09.2008 — #Technically yes, and from what I gather (not done any real testing) there is no real performance hit so if you feel safer go for it. If you're super paranoid you could also store as much user specific info as possible in your session (ip address, user agent, login microtime etc) as well and verify that for a belt and braces approach (no bad thing).