Outlook link preview breaking "one time URL" - php

I made a one time URL system, that has a token that becomes invalid once the user accesses that URL.
I send the email to the client with the URL containing the token, when he commits a form.
It works fine for people who uses Gmail and whatnot. However, many of the clients who use Hotmail complained that always when they clicked the URL even for the first time, it was already invalid.
I ended up finding out that Outlook has a Link Preview function, enabled by default, that display a little preview of the links in the email. Since this function accesses the URL once, the token becomes invalid when the client opens the email.
Is there a way in PHP to detect if the access to a URL is being done by a link preview system? That way I could make the token invalid only when the access was not made by a link preview.

The outlook preivew request is using HEAD request here. You can check the request type and do not invalidate your link with HEAD request.
(A better solution will be stopping triggering any logic with a simple GET request. You can create a button instead of link to ask users to click. Preview bot is unlikely to click a button like users.)

Related

PHP handle download request when session is expired

I'm looking for some help in how best to handle page navigation/redirection from a PHP application. We don't offer many downloads so this has only just now come up as an issue. The gist is that a user loads a webpage to view some data and this page offers a hyperlink to download the data into a spreadsheet (dynamically built). The issue that I'm struggling to come up with a slick solution to is if the user sits on the webpage for long enough to where their session expires in PHP. Suppose in that case the user comes back to the page and clicks the download link.
There are two scenarios I need to handle. The first is with old browsers like IE (have to support it for the time being). IE doesn't support the download attribute for ANCHOR elements. Therefore, when the link is clicked and the session is invalid, the user is presented with a login form but the browser URL now reflects the endpoint of the download. Upon logging in, the download functions correctly but the user is left at the login form because the presence of the Content-Type: attachment makes the browser not navigate. I am looking for how to best get the user back to what is essentially the initial HTTP_REFERER when the download was requested. The only idea I can come up with is either a standard endpoint or query string parameter to use so that my login form handling code can properly redirect after successful login for a download request.
The other scenario is for modern browsers that support the download attribute. My code does set the HTTP response code to 401 when it determines the login form needs to be rendered (maybe that's not correct though). I do not see anything within $_SERVER that alludes to that fact though which suggests, again, a standard endpoint or query string parameter to use for identification. Modern browsers handle this case well by simply denying the download and actually displays that the request needs authorization. So, this works well as long as setting the status to 401 on all login form renders is correct otherwise, I'd again need some way to know that the requested endpoint is a download.
I'd like to avoid any kind of JavaScript solution if possible.

Posting via Facebook API but image does not appear

I am using the Facebook PHP SDK to post content to our company page. 9 times out of 10, it works, but on the odd occasion like today the post is submitted and its content appears on the page but without the image provided by the og:image meta tag.
In today's case, a URL was submitted but no image is being displayed. According to Facebook's Sharing Debugger, there is a warning stating the "provided og:image URL encountered an unexpected error", despite the server access logs showing a request made to that image URL by the Facebook crawler at around the time the URL was submitted and a code 200 being returned along with 1MB+ of data.
The Object Debugger says different. It claims the web server is not running or Facebook's crawlers are being blocked, which according to the firewall logs is not the case. There are also warnings stating the og:url and fb:app_id tags are missing even though they appear in the raw output.
Scraping the URL again does not pull the image through; I have to manually use the "refresh share attachment" feature to make the image appear.
Is there any way I can rescape a URL and refresh the share attachment using PHP without having to do it manually?
Scraping the URL again does not pull the image through; I have to manually use the "refresh share attachment" feature to make the image appear.
Of course it doesn’t, otherwise I would change the kitten picture of that article of mine you posted three days ago, to “buy cheap viagra here” today, and you would automatically have that reflected on your timeline …
Is there any way I can rescape a URL and refresh the share attachment using PHP without having to do it manually?
You can (re-)scrape URLs via API – https://developers.facebook.com/docs/sharing/opengraph/using-objects#update
But I am not sure whether updating a post with the exact same values would actually count as an update, and refresh the attachment. You can give it a try (https://developers.facebook.com/docs/graph-api/reference/v3.1/post#updating), but if it doesn’t work, then your only option is to make sure everything is working properly before you make the post. (The JSON data returned from that endpoint should contain the image URL if everything worked properly, I suppose.)

Detect if a web site is already open and reuse window

I'm trying to find out if there is a way to open a url link in an email and reuse a window if a certain page ( or site ) is already open.
What I have is a 'forgot password' page where the user enters their email address and gets asked a security question, this then sends a plain text email with a url link (so no html link attributes) and reports to the user that it has done a good job . When the user clicks on the link it opens up a shiney new browser window and ignores the old report page leaving it feeling sad and unwanted. I would like to know if there is a way to reuse this window or more specifically the forgot password report page. Perhaps I could name the page with javascript or detect if the url is already open somehow.
Or is it possible if I did decide to use an html email, so most people would get the benefit.
Please help my report page to loved and wanted again.
Thanks
I am using PHP and I could use javascript or jquery browserside, or anything else that might fit in with this
This is completely up to the browser to decide; some browsers might be able to guess what you're trying to do and replace an existing tab with the new page, but on the whole that doesn't make sense.
This is what you could do (though it's not really technical):
after the email is entered and submitted, the form page changes and asks them for the security code that's being sent to them.
inside the email you print the security code in a clear manner for the user to double-click and copy to their clipboard; they would then switch to their browser again (with your page still open) and paste the value. You can still provide the link for ease of the user, of course.
Btw, to make an easily selectable code for the user to copy into their clipboard I found that using base32 encoding is the best; those codes can be selected easily, even with iOS devices.
You could have the page opened by the email send out a postMessage request and have the other page answer that is is still open. If that happened, the new tab could close immediately.
However, switching between tabs/windows is something happens at the OS or browser level, not the page level, and there is no way to switch to the open tab using JavaScript. You could write a browser extension to do it, but that's probably innapropriate for something so trivial, and no one would bother to install it.

Logout from google account. Call a URL in the background/in a hidden way

I need to log out the user from google apps account. Now in my application I want that when the user clicks on LOGOUT the following should happen:
1. he should get logged out from Google apps account - For this I need to send a hidden request to the URL - https://mail.google.com/a/aspiringminds.in/?logout&hl=en
I am able to call this url easily. What I need is to call this url in a hidden manner ie the user should not be redirected to this page or see this page. This is the major part where I am stuck. I have tried curl, javascript popup window, iframe, php redirection but nothing seems to work. I think only server side request will help here like 'curl'. Pleaaassseee help !!!!
2. If the user is successfully logged out - I need to take him to this page - sign_in.php?logout=1
I have been trying to do this since the last 2 days but am unable to do so. Please help.
omg just use jquery like this
$('#logoutlink').click(function(){
$.get('http://..............');return false;
};);
that will call the url from client side but will ignore the returned data
Why not just use an iframe of size 1x1 of that url, that way the user won't even realise it.

Can somebody illustrate what is "Pixel Tracking" in php?

Well, I encountered this new term in programming. What is it? How does it works and how to use it? Can somebody illustrate in php?
I have a website, full flash. That site is for signup, enter username and email. The button is in flash.
An user visit my site, www.domain.com/index.php?var=string
Can I use pixel tracking method to pass this URL variable($var) to another php page (email subscibe processing php page) together with username and email from Flash/AS3??
The more common term is Web bug: an invisible (i.e. 1x1 transparent pixel) image embedded in a web page or email, with its URL containing parameter data. When the page/email is displayed, it will load the image, thereby causing a request containing the parameter data on the server, which can then do things with that data.
Edit: I don't think the technique would work for what you want to do, since it sounds like the username and email address are entered into the flash app only after the page is fully loaded and displayed, i.e. after the request generated by a hypothetical web bug has already been sent. Can't you make the request to your signup page from the Flash code? Then all you need to do is somehow pass the URL parameter to the Flash app. I think that should be possible.
Is there anything wrong with simply passing your information via querystring from your Flash application to the PHP script?
If its just username and email then I don't think you need to do anything more than that.
Is there a reason you want to use this pixel tracking other than to simply learn how to do it?

Categories