I have to code a page that will only allow users that click on a specific link to access that page. I don't want people to be able to type the address directly into the address bar and have access. Only from a specific page and a specific link on that page.
Security is important as it is for a product download.
Anyone know how I would do this in PHP?
Your best bet is to use sessions and have a user authenticated. Then you check whether they have logged in at the top of this "download" script.
Alternatively, you can check use the $_SERVER['HTTP_REFERER'] variable and check at the top of your page that they are coming from the correct place. This would (I think) prevent users from just going straight to the download page by typing in the URL
if ($_SERVER['HTTP_REFERER'] == 'http://mysite.com/downloadlist.php') {
//proceed
} else {
//kick user out
}
But like I said, sessions are the way to go here. From the PHP manual on HTTP_REFERER:
The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.
You would need to establish session tracking (logging users in). Simply using a link and using a referral type check is not enough.
Also for downloads I would create a handler like a download.php file that would fetch the required page to download.
That way nobody will copy your documents if someone has access once.
You can used PHP HTTP Authentication:
You could also use some JS so attach some POST parameters when the user links to your page and have a quick and dirty test that way. A link on how to do it is HERE. Iaggree with the others that the best way and most secure way is to use some form of authentication.
I would use one time hashes for download. User is presented with download page and link like:
/download.php?downloadId=3B4A34086BH56FH5343DC
The hash is stored to database. In download.php you check if the hash is in database. If it is, you push the download data and remove the hash from database. If anyone else would try to use that link, he will not get the data, because the hash won't be in database anymore.
(same can be archived with hash-named files and unlink() if you don't have database access)
You should not use the referer as an authentication method. The referer can easily be changed or set. For example, this command sets my referer to stackoverflow.com:
curl -e http://stackoverflow.com/ -D - brb3.org/referrer.php
It's output would look something like this:
HTTP/1.0 200 OK
Date: Thu, 01 Dec 2011 17:43:55 GMT
Server: Apache/2.2.16 (Debian)
X-Powered-By: PHP/5.3.3-7+squeeze3
Vary: Accept-Encoding
Content-Length: 54
Content-Type: text/html
X-Cache: MISS from localhost
X-Cache-Lookup: MISS from localhost:8080
Via: 1.0 localhost (squid/3.1.14)
Connection: keep-alive
$_SERVER['HTTP_REFERER'] = http://stackoverflow.com/
You should instead use a one-time hash download script, or sessions.