Here is the scenario:
Visitor of Page1.php is being redirected with JavaScript to Page2.php
Is there a way to know that visitor which lands on Page2.php is a redirected visitor by monitoring Page2.php if I don't use any sessions and variables at all in any language?
Without Doing/Using:
URL Manipulation
Cookie
Session
Any kind of Variables
Absolutely no changes to Page1.php
I'm asking this because I don't want other sites to detect that I have redirected users to their website.
I just want to know the possibility.
Just set a flag in the query string when you redirect (append the query string to your redirect location):
Page2.php?redirect=1
Or if you need the referring page:
Page2.php?referer=Page1.php
Then check with $_GET['referer']
You might be able to read the $_SERVER['HTTP_REFERER'], but I personally tend to avoid it because it doesn't always contain what you think it should.
If you don't want to use server-side languages, your only alternative is JavaScript. You could redirect to Page2.php?redirected=true and use the following code to GET the redirected variable on Page2.php.
var $_GET = {};
document.location.search.replace(/\??(?:([^=]+)=([^&]*)&?)/g, function () {
function decode(s) {
return decodeURIComponent(s.split("+").join(" "));
}
$_GET[decode(arguments[1])] = decode(arguments[2]);
});
if($_GET['redirected']){
// Redirected from Page1.php!
}
Source: how to get GET and POST variables with JQuery?
Set a javascript cookie on the initial page when you do the redirect.
On the new page, check to see if the cookie is set, then delete it.
Related
My problem is that, I have a table with values, when I pulse on one of the cells redirect to a cell details page, in the url I pass the id: "http://localhost/example?id=123456". when I back to the previous page with a cancel or save button does redirect to the previous page and get in id with $_SERVER['HTTP_REFERER'] but when you pulse the back button in the browser I don’t know how to get that url.
You can use the session system of PHP:
$_SESSION['page'] = $_SERVER['HTTP_REFERER'];
To redirect to the last page you can use the header function.
header("Location: ".$_SESSION['page']);
exit();
On the server-side using $_SERVER['HTTP_REFERER'] is enough and you don;t need to store the value of $_SERVER['HTTP_REFERER'] on $_SESSION too. just directly check the $_SERVER['HTTP_REFERER'] val.
For the client-side, you can use document.referrer in JS. Also, it can be helpful for you to know these functions in JavaScript:
history.back(); //Go to the previous page
history.forward(); //Go to the next page in the stack
history.go(index); //Where index could be 1, -1, 56, etc.
Notice: If you have some routing system that handles the URL dynamically on the same path ($_POST or ...) you may need a more complex solution based on your framework.
For example, I have a page called profile_page.php. This page is only functional if data is written after the ?u= in the URL, for example, data for Alice's profile page can only be seen when the URL reads http://localhost/profile_page/alice.
Loading http://localhost/profile_page will give me undefined variable errors as most of my variable's are depending on the URL to have a value after the ?u=. For example, the variable $firstname can only be gathered when I get her username in the URL.
In such a case, when http://localhost/profile_page, I would rather have it redirect the user to their own profile_page, but I don't know how I can test the URL and parse it through an if statement.
I understand you can use $u=$_GET['u']; to obtain the current page URL? but I don't think doing this, is the best way to go about it:
$u=$_GET['u'];
if ($u == "http://localhost/profile_page/"){
// redirect to logged in users page code here
}
First, if you are using some parameter for your page to build, the url would looks like httlp://localhost/profile_page.php?firstname=alice&lastname=brown, with $_GET['firstname'] you will get alice in this case. If you want to test if the parameter is set first and redirect to another page if it is not set, you could use
if(!isset($_GET['firstname'])
{
header('Location:redirected_page.php');
}
I would like to know if its possible to append a variable to url in address bar when page loads.
demo: http://communityimpact.com/discussions/
Current page is geolocated, if category = Central Austin...would like the url to load as http://communityimpact.com/discussions/central-austin
<?php echo $my_category; ?> = Central Austin
<?php echo $my_category_slug; ?> = central-austin
Any suggestions?
Actually headers are your best bet if you need to append variables to url.
Example:
$my_category = "Central Austin";
$my_category_grub = "central-austin";
header("location: community-impact/discussions/$my_category_grub");
//or append a var like this:
header(" location: community-impact/discussions/?location=$my_category_grub");
//then you could handle the request on the new page
But both of these methods would redirect you.
If you want to use $_SESSION vars would make more sense. I don't see any possibility of appending vars to URL without redirecting. Url is the address, if you change the Url then you HAVE to change page. But session vars live until they leave your site. And can hold that info hope this helps, I'm not sure what your purpose is.
$_SESSION["category"] = "central-austin";
But you have to have
session_start();
at the beginning of the page.
Try to use a redirection with headers, like
header("Location: http://communityimpact.com/discussions/central-austin");
Your probably should use JavaScript, there are two options here:
With a redirection
// similar behavior as an HTTP redirect
window.location.replace("http://communityimpact.com/discussions/central-austin");
// similar behavior as clicking on a link
window.location.href = "http://communityimpact.com/discussions/central-austin";
Without redirection
This is the scenario: a user land on a page which redirects him at certain conditions with the following php lines
header("Location: /access/details/index.php");
die();
The problem is that the page /access/details/index.php should receive the referral URL correctly. I cannot insert an input tag because of the PHP redirect. What is the simpliest way to pass the URL to the redirect destination page, possibly without using other languages such javascript?
There is no way to tell the browser what URL to use for the referrer. Instead, you can pass the referrer as a get parameter in the redirect.
header("Location: /access/details/index.php?referrer=" . urlencode($_SERVER['HTTP_REFERER']));
Retrieve the previous referrer on your /access/details/index.php script by accessing the $_GET super global
$referrer = $_GET['referrer'];
Another option would be to skip the redirect altogether and do a forward. This keeps the current referrer intact.
include("/access/details/index.php");
die();
I have several pages inside an AJAX directory. I don't want these pages accessible directly so you cannot just type in the URL of the page within the AJAX directory and access it. I "solved" this by using a PHP session on the page that calls it as follows:
Main page:
<?php
session_start();
$_SESSION['download']='ok';
?>
and on the ajax page I have this:
<?php
session_start();
if($_SESSION['download']!=='ok'){
$redirect='/index.php'; //URL of the page where you want to redirect.
header("Location: $redirect");
exit;}
?>
The only problem is that if a user goes through the correct process once, the cookie is stored and they can now access the page directly. How do I kill the session once they leave the parent page?
thx
why use session ?
if i understood what you want:
<?php /// Is ajax request var ?
if (isset($_SERVER['HTTP_X_REQUESTED_WITH'])) {
if (strtolower($_SERVER['HTTP_X_REQUESTED_WITH'])=="xmlhttprequest") {
// do your ajax code
} else {
// redirect user to index.php since we do not allow direct script access, unless its ajax called
$redirect='/index.php'; //URL of the page where you want to redirect.
header("Location: $redirect");
exit();
}
} ?>
A really simple solution is to open up each of the files you want to protect from direct URL entry & add the following to the top:
<?php if (isset($_GET['ajax']) != true) die();?>
Now get rid of your redirect script since it's useless now. You don't need to use sessions for this. Every time you request a page, use it's direct URL, just add ?ajax=1 to the end of it.
By adding the ?ajax=1, PHP will set a key of 'ajax' to the $_GET global variable with the value of 1. If ?ajax=1 is omitted from the URL then PHP will not set a key of 'ajax' in $_GET and thus when you check if it's set with isset() it will return false, thus the script will die and not output anything. Essentially the page will only output data if ?ajax=1 is at the end of the URL.
Someone could still "spoof" the URL and add '?ajax=1' themselves, but that is not the default behavior for people or web browsers. If you absolutely need to prevent this then it will be much more complicated, e.g. using templates outside of a publicly available folder. Most other "simple" solutions will have the same "spoofing" potential.
There's really no way to accomplish this with a 100% certainty - the problem is, both AJAX and regular web browser calls to your web site are using the same underlying protocol: HTTP. If the integrity and security of your site depends on keeping HTTP clients from requesting a specific URL then your design is wrong.
so how do you prevent people from directly accessing files inside certain directories while still letting the site use them??
Create a controller file. Send all AJAX requests to this controller.
ajax-control.php
<?php
$is_ajax = true;
include "ajaxincludes/test.php";
// ... use the ajax classes/functions ...
ajaxincludes/test.php
<?php
if (!isset($is_ajax) || !$is_ajax)) {
exit("Hey you're not AJAX!");
}
// ... continue with internal ajax logic ...
If clients try to access the file directly at http://mysite/ajaxincludes/test.php they'll get the error message. Accessing http://mysite/ajax-control.php will include the desired file.
I don't think there is a surefire way to do what you are asking, since HTTP request headers can be faked. However, you can use $_SERVER['HTTP_REFERER'] to see if the request appears to be coming from another page on your site.
If the rest of the security on your site is good, the failure of this method would not grant the user access to anything they were not already able to access.
I've never tried this but maybe you could do something with jQuery's .unload() and then call a PHP page to unset() the session.
Why not (on Ajax page):
session_start();
if($_SESSION['download']!=='ok'){
$redirect='/index.php'; //URL of the page where you want to redirect.
header("Location: $redirect");
exit;
}
// do whatever you want with "access granted" user
// remove the download flag for this session
unset($_SESSION["download"]);