0

On my site, forms are brought in via AJAX and checked against a sessionid. I know this is not optimal, but it's working for us. If the referrer doesn't have the session ID they are redirected back to "anotherpage". I need to allow some outside URL's access the form directly. we set the sessionid on the page with the link to the form.

Here is what we have now on the form page:

<?php
$code = $_GET['sessionid'];
if(strcmp( $code , 'XXXXX'  ) != 0) {
    header("Location: http://www.domain.com/anotherpage.php");
} 
?>

I need to allow some outside domains direct access to the form page and am having issues with this: (I'm putting it above the head tag on the form page)

<?php
    $code = $_GET['sessionid'];
    $referrer = $_SERVER['HTTP_REFERER'];

    if(strcmp( $code , 'XXXXX' ) !=0) {
        header("Location: http://www.domain.com/anotherpage.php");
    } else {
        if (preg_match("/site1.com/",$referrer)) {
            header('Location: http://www.domain.com/desiredpage.php');
        }
    }
?>

this still bounces me back to "anotherpage.php" any ideas?

********EDIT******* thx for the help, it works ad I requested. Now I see what I asked wasn't entirely correct. This appends the URL with =sessionid?=XXXXX. This isn't an issue on my site because I'm loading the content with .jquery .load so the URL doesn't change. I don't want the sessionid to be visible, and now it is. Can I either a) "trim" the url somehow or b) separate the two functions so they are exclusive?

Improve this question
1
  • 1
    Doesn't the else warrant another condition? Shouldn't that condition be evaluated before the 'no-go redirect', or should the inner condition of else be embedded within the first, along with the redirect? Commented Mar 9, 2011 at 18:32

6 Answers 6

Reset to default
3 
if(strcmp( $code , 'XXXXX' ) !=0) {
    if (preg_match("/site1.com/",$referrer)) {
        header('Location: http://www.domain.com/desiredpage.php');
    } else {
        header("Location: http://www.domain.com/anotherpage.php");
    }
}
Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

@amosrivera - is there any way to do this w/o showing the appended url "domain.com/desiredpage.php?sesionid=XXXXX" in the browser address bar? on my site it's all done via jQuery .ajax > .load specific div's so the url is hidden
you could have a third page that takes care of the redirects, there you would have the if statement domain.com/redirect.php?sessionid=XXXX, is that what you mean?
@amosrivera - yes I think so, a separate third page that I tell external sites to use as <a href="externalpagescript.php"> and that page only has the referrer check?
no, i see that what you don't want to be visible is the session id, in that case you will have to do something different, like setting a cookie
@amosrivera - I see. Ill have to figure that out then. I really appreciate all your help, you answered the first question exactly as I asked it.
1

As I read your post, you want anyone from the preg_match to get the desired page regardless of sessionID status, so you don't want to test sessionID first.

Start the if block with the preg_match test.

Improve this answer

1 Comment

pls see edited question, I also don't want session id to show in url when coming from preg_match. when coming from page in site, url doesn't change as im using jQuery .ajax to .load content
1

Your first if is checking to see if they don't have the $code and redirecting them. This will always be the case. You should probably check the $referrer first and then do the $code check.

Improve this answer

Comments

1

Try reverse if with else

<?php
    $code = $_GET['sessionid'];
    $referrer = $_SERVER['HTTP_REFERER'];
    if (preg_match("/site1.com/", $referrer)) {
        header('Location: http://www.domain.com/desiredpage.php');
    } else if (strcmp( $code , 'XXXXX' ) != 0) {
        header("Location: http://www.domain.com/anotherpage.php");
    }
?>
Improve this answer

9 Comments

@jcubic - same answer above, and works. can PHP "trim" a url? Is there any way to do this w/o showing the appended url "domain.com/desiredpage.php?sesionid=XXXXX" in the browser address bar? on my site it's all done via jQuery .ajax > .load specific div's so the url is hidden
try header('Location: http://www.domain.com/desiredpage.php?'); you can also use mod_rewrite in .htaccess file if you use apache.
using header('Location.....php?') didn't work. How would I use it in .htaccess? a 301 redirect to the page with an appended url? wouldn't that still show url?
In .htaccess if you put ? in destination url it don't append query_string. RewriteCond %{QUERY_STRING} !="sessionid=xxxx" RewriteRule .* /desiredpage.php? [R=301,L]
@jcubic - sorry man, how would I make sure this only comes from the allowed domain? or do I do it in combination with the PHP on page?
|
0

If I'm not misunderstanding this, the problem is in the order in which you are checking things.

If you want to allow some referrers to access the site even if they don't have the session id, you have to check for that before checking for the session id. Otherwise, they will end up being treated just like everyone else.

You can either switch the order of the conditions (first check for the referrer and then check fo the session id) or check for the referrer inside the branch in which you already know the session id is not valid.

Improve this answer

Comments

0

The issue could be in your regex, it should be:

if (preg_match("/site1\.com/",$referrer))

notice escaping the dot (.)

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.