0

On my site I use a session id when accessing a pages form content. The sessionid in the url isn't normally shown because it's accessed through jQuery .load so the url doesn't change. The page in reference above needs to be accessed by some outside domains directly. I have used the following PHP at the top of the form page, to show the entire page.

<?php
    $code = $_GET['sessionid'];
    $referrer = $_SERVER['HTTP_REFERER'];

    if(strcmp( $code , 'XXXXX' ) !=0) {
    if (preg_match("/alloweddomain.com/",$referrer)) {
header('Location: http://www.mydomain.com/desiredpage.php?sessionid=XXXXX');
} else {
header("Location: http://www.mydomain.com/otherpage.php");
        }
    }
?>

Is there a way with .htaccess to remove the session ID? I've tried the following but get 500 Internal Server Errors.

RewriteEngine On
RewriteBase /
"lots of 301 redirects"
HTTP_REFERER variable RewriteCond %{HTTP_REFERER} !aloweddomain.com RewriteCond %{QUERY_STRING} !="sessionid=XXXXX" RewriteRule .* /desiredpage.php? [R=301,L]

***EDIT**** used this, filling in the appropriate details

RewriteCond %{HTTP_REFERER} !**aloweddomain.com** [OR]
RewriteCond %{QUERY_STRING} !=sessionid=**XXXXX**
RewriteRule .* /**desiredpage**.php? [R=301,L]

just get FF error that it can't complete redirect

Improve this question
2

1 Answer 1

Reset to default
1

you forget newlines

RewriteCond %{HTTP_REFERER} !aloweddomain.com [OR]
RewriteCond %{QUERY_STRING} !=sessionid=XXXXX
RewriteRule .* /desiredpage.php? [R=301,L]

This will redirect all url's that don't came from aloweddomain.com or don't have Query_String. I forget about [OR] if there is nor [OR] then then the two conditions must be true.

and if desiredpage.php is simply page that show that you can't access the site then you can put 403 Forbidden instead of redirect

RewriteRule .* - [F,L]

If you want to call it from AJAX or custom domain.

if (preg_match('/domain.com/', $_SERVER['HTTP_REFERER']) || 
    $_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest') {
   // allowed
   header('Location: http://www.mydomain.com/desiredpage.php');
} else {
   // not allowed
   header('Location: http://www.mydomain.com/otherpage.php');
}

code for desiredpage.php

if (!(preg_match('/domain.com/', $_SERVER['HTTP_REFERER']) ||
    $_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest')) {
   header('Location: http://www.mydomain.com/otherpage.php');
}
Improve this answer
Sign up to request clarification or add additional context in comments.

14 Comments

and this won't affect the entire site, just that page right? Nope doesn't work, I just get a FF message "Problem loading Page...redirecting in a way ff cannot resolve"
How about if I just check to see if it's either an xmlHTTPrequest (mine) or from allowed domain? that would get rid of the stupid sessionid right?
You can't check for custom headers in .htaccess but I put solution in php.
But if you put redirect in php script then user can check destination page and access it normally and bypass your check. Best way is to not redirect to other pages but do your stuff in the same file.
@jcubic - real close now. the only way i could get it to load page was with the page name and extension added to '/domain.com/page.php' Warning: preg_match() [function.preg-match]: Unknown modifier 'd' in /home/xxx/public_html/desiredpage.php on line 2 Warning: Cannot modify header information - headers already sent by (output started at /home/xxx/public_html/desiredpage.php:2) in /home/xxx/public_html/desiredpage.php on line 8
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.