Denying access to page unless through an iframe

I have some important checkout pages that are served via an iframe within a secure page. It works great however (if they knew the URL) a user could still access the page directly. Is there anyway t开发者_开发百科o check that a page is being served via and iFrame and deny direct access?

No. Even if there was it would be easily spoofed(it's not to hard to create a blank html page with a single iframe). I would suggest you to rethink you security strategy. For example you can use some unique URL to reference your page which would be generated by parent page eg.

<iframe src="http://secret.com/checkout_page.php?id=9865786&hash=hkdjlvhb3k4h5t98fgh34kh" />

On the check out page you will haveto check that id is unique and was never used before and that the hash corresponds to this id. For hash you can use md5 with salt(md5(id.$salt)). This would be quite secure (as long as $salt kept secure).