Redirect after 5 seconds, but only access to the page for the referrer
I am trying to redirect page1.php to page2.php after 5 seconds. However, page2.php must be a private page, which can only be viewed when submitted from -> mydomain.com/page1.php and cannot be accessed if you manually enter the address in the address bar.
I have tried methods that use public keys, htaccess and php HTTP_REFERRER.
I believe the problem is coming from the redirect, and I believe this is because the redirect script does not send the HTTP_REFERRER, and therefore page2.php looks at the URL sent from the redirect script as manually entered. I tried with simple PHP- redirects and javascript. Below are two different redirect scenarios that I have used.
php version.
header( "refresh:5;url=page2.php" );
Javascript version.
<script type="text/javascript">
function Redirect()
{
window.location="page2.php";
}
setTimeout('Redirect()', 5000);
</script>
I've tried them with full url and with / without http: // e.g. mydomain.com/page2.php.
Page2.php should only accept traffic from page1.php. I have no objection as to how to achieve this. Using public keys or any other aspect, as long as the user cannot enter the address manually and go to the page. I am also fully aware that Referrer can be faked, but I have no experience to go to advanced.
You can use session data to make sure page2 users went through page1
Using a session encrypted string
is secure enough even if it is not encrypted at all.
on page 1:
session_start();
$_SESSION['secret_key'] = 'encrypted_string';
on page 2:
session_start();
if($_SESSION['secret_key'] == 'encrypted_string'){
// user is authorized
echo 'You are authorized to see this page';
}
else{
echo 'Please visit page1 before accessing this page';
}
// Logic for authorized user
Or, a shorter version for page2:
if(empty($_SESSION['secret_key']) || $_SESSION['secret_key'] != 'encrypted_string'){
die('You are not authorized to view this page.');
}
echo 'only authorized user will see from here forward';
BTW, when testing, remember that after setting up a session, you will have to delete browser sessions or use incognito to retest. To clear cache on chrome ctrl+shift+delete
and select cookies and others
This is how I would do it using 3 pages.
On the landing page, provide your JavaScript, this will redirect you to an intermediate page that sets a session variable before redirecting to the last page.
On the last page, check the session variable, determine whether to display it or not, then disable the session variable (so that if they try to return to the first page again, it won't work anymore).
p1.php
<?php session_start(); ?>
<script type="text/javascript">
function Redirect()
{
window.location="p12.php";
}
setTimeout('Redirect()', 5000);
</script>
p12.php
<?php session_start();
$_SESSION['secret'] = 'todays_password';
$newURL = 'p2.php';
header('Location: '.$newURL);
?>
<script type="text/javascript">
function Redirect()
{
window.location="p2.php";
}
Redirect();
</script>
p2.php
<?php session_start();
if (isset($_SESSION['secret']))
{
if ($_SESSION['secret'] == 'todays_password')
{
//The user provided the correct secret session variable
echo 'welcome. you can view this page.';
//Put all of your page content here
?>
<!-- HTML content should be in between php delimiters, like this-->
<?php
}
else
{
//The user supplied a secret code, but it was not the correct one
echo 'invalid secret.';
//You can also add code for redirecting the user back to p1 here
//Or just display an error message
}
}
else
{
//The user did not provide a secret session variable -- they most likely did not pass through p12.
echo 'error, you are unable to view this page';
//You can also add code for redirecting the user back to p1 here
//Or just display an error message
}
unset($_SESSION['secret']); //This line makes the user return to p1 every time they visit p2 -- delete this line if you only want them to visit p1 once.
?>
To make this method safe, you need to provide each user with a unique value for their secret session variable. Store this variable along with its timestamp when the user visits p1 as a session variable for the client and in the server side database. When p2 is loaded, check if the database has the session value they provide for at least 5 seconds. If so, let them see the page. Then delete the value in the database.