I've read a several ways to redirect users to homepage, but, what if I need to redirect them just if they got to that page through a search engine like Google or Bing.
I need this because I'm building a cigar webpage and in some countries is demanded to be a certain age to view the content.
You could set a cookie or session through PHP/JavaScript on the first website visit, and check on all upcoming visits if the cookie already exists. If not, redirect them to the homepage.
In PHP you can use the function:
$_SERVER['HTTP_REFERER'];
I believe this will also retrieve the full URL you was referred from.
See: http://php.net/manual/en/reserved.variables.server.php
Ignore the above answer as I read the question wrong. Best thing to do would be store within a session. If a session key exists then do not redirect, if it doesn't then do a redirect.
<?php
session_start();
$_SESSION['existingUser'] = true;
print_r($_SESSION);
?>
Related
I'm having a problem with the website that I'm making. I'm making a website where users will be able to go and watch a short video, after that they can Sign Up and get a link to verify their emails. The email goes to their inputted email and they have a verification link which leads to another page. That page has a button which leads to a Full Video. Now I want to prevent users from viewing verify page and the page where users see full video before they verify their emails. I'm fairly new to PHP and I tried something, I think it's not that good but I'm still learning.
I wanted to redirect users when they go to localhost/verify.php and allow them to go on the page when the URL is localhost/verify.php?verified=1, that ?verified=1 URL is being sent to their emails.
But whatever I type it redirects index.php
verify.php
if (stripos($_SERVER['REQUEST_URI'], 'verify.php')){
header('Location: index.php');
}
else if (stripos($_SERVER['REQUEST_URI'], 'verify.php?verified=1')){
header('Location: verify.php');
}
Is there any way I can do this better since the users don't have register option and I'm not saving any sessions.
Even if you are not creating users, you can have a table that just represents these email addresses that contains a key, email, verified(bool), verification_token(unique string) then in the controller for the verified route you can check if that verification token exists, mark the user as verified and pass them along to the video. This also allows you to store a that token in a cookie that you could check for anytime they hit that normal endpoint without the query parameter you could still treat them as verified. It's not full on auth, but it sounds like you don't want a full blown authenticatable user for these emails
I created an "embed code" within my site, which is simply an iframe
I would give this code to embed only certain users but do not know how to do. a user could get inspecting the html code from the authorized sites and get the code without permission.
how do I make my site that only authorized users?
I thought about taking $ _SERVER ['HTTP_REFERER'] but as soon as you click a link to the internal frame the referrer is lost.
You can't really avoid authorized person inspecting the URL of the inline frame and revealing it to an unauthorized person. The right course of action is to serve an empty/error page to an unauthorized user.
You could achieve that by creating a session upon user login and verifying that session in the source code the of page displayed in the inline frame.
Do not rely on referrer, it is easily spoofable and some browsers won't even set it. Session cookie is not spoofable unless the user knows the credentials used to create it, which makes them authorized, whether or not they are authenticated.
Verify the user with js.
<iframe src="verify.php">...
Verify.php contains:
<?php
session_start();
$id= generate sth random;
$_SESSION["id"]=$id;
?>
<script>
window.location="http:yourdomain/site.php?id=<?php echo $id;?>&referrer="+document.referrer;
</script>
Loading...
Now you can check the referrer, to verify if the site is correct and the id to check if nobody tried to trick you...
<?php
session_start();
if($_SESSION["id"]!=$_GET["id"] or $$_GET["referrer"]!="allowedsite.com"){
echo "not valid";
die();
}
?>
As Thomas Hübelbauer noted, people could still copy your code. The only thing you can do against it is obfuscation and the use of relative links. That makes it hard to copy.
I am creating a user authentication system using PHP, JQuery, and AJAX. On submit, a request will be sent to 'authenticate.php' with data: username & password using AJAX. The PHP code checks a database for the record and returns 0 on success, 1 on failure. Then if the returned value is 0, the page will be redirected to the 'user private page' using 'window.location="user.php"'.
Now, the question is, is it safe and proper way to authenticate like this? Are there any security problems to use jQuery/JavaScript to redirect page?
Now, the question is, is it safe and proper way to authenticate like this?
Only if inside your user.php you check again if the user has successfully authenticated already. (This is usually where sessions come into play.)
Otherwise, of course everyone who knows the URL of user.php can access it directly.
Are there any security problems to use jquery/js to redirect page?
The only difference between window.location="user.php" (which is wrong, btw. – correct would be window.location.href="user.php") and, say, a normal link to that page, foo, is that the first one happens automatically, and the second one would require the user to click the link first.
So, it is as “secure” as if you had used a simple link. What that actually means here in this case, depends what I said above.
Depends on how secure and compliant you want you application to be. According to RFCs its not recommended to login like that, but keep the form on server side and integrate the login form on frontend (via iframe), then just redirect with redirect url and token, scopes etc to a local html which then eg. sends a window postmessage to your frontend application.
https://www.rfc-editor.org/rfc/rfc6749#page-19
If you just want to be quick and dirty you can go for window.location.href or document.location.href.
Or a bit more secure, send the user to the server and let this be redirected back, but can end up in redirection hell, as its not easy to get back to the state where the user was (including settings and stuff).
Anyways, you will always have to check for the current users's session state whatever you do afterwards with serverside (Sessions).
Since you are working with PHP already i don't recommend using JS to redirect the user. You can use PHP for that:
if($user == $db['user'] && $password == $db['password']){
$_SESSION['logged_in'] = true;
header('location:user.php');
}else{
echo 'username of password is wrong';
}
Then on your user.php file:
if(isset($_SESSION['logged_in'] && $_SESSION['logged_in'] == true){
echo 'welcome to the user page';
}else{
header('location:index.php');//Go back to login page
}
If people go directly to the user.php page, they will be redirected to the index.php page.
I run a link shortener, the users get paid for visitors which are using the short url. They see a landing page, and with a click at "skip" they are redirected. But some of my users try to cheat, instead of giving their visitors the short url like example.com/a/53425, they give them http://example.com/a/pugt.php?url=53425 with pugt.php are 2 sql queries performed:
the target url is retrieved from the database
the creator of the url gets +1 point per visitor.
That means that the visitors are redirected without seeing the ads at my landing page, and the user gets his points. Is there any way to hide this php file, or to perform this sql queries in a smarter way?
This is the source code of the "skip" button at my landing page:
$url is the id of the short url like 53425
<section class="example">
<br/>
<br/>
<center><script src="//go.padstm.com/?id=345791"></script></center>
</section>
The best way is to create a token for every url. Add a new database column named token or anything you like.
So your url should look like:
http://example.com/a/pugt.php?token=e49s73tr6198e76dg4&url=53425.
Your php script will update token every time a visitor views your ad and set the new token for next url. Without valid token no one will be able to bypass your add.
Yes Vaze the better way to deal with the hidden urls is to encrypt the url by using urlencode as it is right at your requirement. In this way the users can't understand the url and you will have what you need. And at the time of the backend php magic you need to urldecode your url in order to do the things same as you are currently doing.
Couldn't quite find this exact question but I may have missed it. I was wondering whats the best way to load certain page elements based on the IP address of the site the visitor is coming from. In other words I only want to load a certain navigation button if the site visitor came from site X.
We are testing some cross-domain navigation on an e-commerce site and I want to provide a link that will get people back to their shopping cart if they navigate away from it to our main site. But I only want the link to show up if the people came from e-commerce site, hence I want to only load the link element if the referring IP address is a certain one.
I found the below code but I'm kind of a php newb so i don't know if this is the best way, or if there is a better way using javascript.
If ($_SERVER[“HTTP_REFERER”] == “ip address X”)
{
echo “<div id=""> Back to shopping cart</div>”;
}
Thanks in advance
First: Note that the referer is NOT reliable. While in most cases it will show where a user came from, you should not DEPEND on it being accurate. Security/privacy software will tamper with the value or suppress it entirely.
That being said: the referer is just a url, so
$url = $_SERVER['HTTP_REFERER'];
$urlparts = parse_url($url); // decompose url into components
$host = $urlparts['host']; // get the hostname
$ip = gethostbyname($host); // do DNS lookup for hostname->ip
if ($ip == '127.0.0.1') {
echo "Hey, you must be sitting next to me!"
}