开发者

How do I make a secure link to a page on my website?

so what I would like to do is have a link on an external website (example: externalsite.com) that will go to mywebsite.com/page.php, and I need to make it so ONLY clicking on the link from externalsite.com will allow you to access mywebsite.com/page.php. The user cannot simply t开发者_StackOverflowype it in their browser to get there, how would I go about doing this?


There's not a way to do this in a 100% secure manner. The browser typically sends a Referrer header with each request specifying where the use came from, but this is easily faked.

If possible, I would suggest having the externalsite.com issue a request to an authenticated web service on mywebsite.com for a token which is appended to the link with a reasonably short expiry time (long enough to allow the user to click on the link, but not so long that it can be shared around). Then, when the page on mywebsite.com loads, it should check for a valid token.


Given that no method is 100% secure, I'll show you a very easy, overtly insecure method that will work in any framework because it's pure JavaScript. Keep in mind that this is designed to work only as a general rule and is in no way "hacker proof".

Simply add this script to your mywebsite.com/page.php. It will redirect any request that isn't referred by a page on externalside.com.

var referrer = document.referrer;
referrer = referrer.toLowerCase();
if (referrer.indexOf("/externalsite.com") == -1) && referrer.indexOf(".externalsite.com") == -1) {
    window.location.href = "http://mysite.com/accessdenied.php"
} else {
    document.findElementById("myBody").style.display = "block";
}

To get around the whole "if you disable JavaScript, this doesn't work, you idiot" dilemma, add id="myBody" style="display: none;" to your page's <body> tag: the page will not be displayed unless JavaScript is enabled and validates the referring URL. Also, I'm not an idiot.

There are several ways to bypass this method: spoof the referring url, use FireBug to remove display: none, view the source of the page and recreate it on your local machine, etc. This method is more of a deterrent than a security feature.


You really can't make it 100% secure, and (probably) definitely not with a link (unless you use JavaScript to submit the form with a link in method 1 below). But there are some ways that might work for you.

Method 1

You could submit a form to the page with a button (and thats it - just the button) and then on the page, check if the correct form was submitted. But this is still not foolproof.

External site:

<form action="http://mywebsite.com/page.php" method="post">
<input type="hidden" name="pagesecuredsdjp91dx9x8yhr4kbbki" />
<input type="submit" value="Click here" />
</form>

Top of page.php:

<?php
if(!$_POST['pagesecuredsdjp91dx9x8yhr4kbbki']) {
die("Sorry, you cannot access this page.");
}
else {
//continue page
}
?>

I don't think you can just make a link do this.


Method 2

Pass a variable in the URL, but this is not recommended as the user could add it in the URL to get in.

Top of page.php:

<?php
if(!$_GET['securedpageaccess']) {
die("Sorry, you cannot access this page");
}
else {
//continue page
}
?>

External site:

<a href="http://mysite.com/page.php?securedpageaccess=sdjp91dx9sdjp9sdjp91d8ybbkix8yhr4kbbki">Cick here</a>

The random characters in the URL is just something put in there and isn't mandatory.


I recommend using the first method if you use either of them.

I hope this helps.


I've dealt with a system before that provides a link for the partner site, this link is used to generates a new temporary link for the user to be redirected to. the first link (not the temporary one) can only be accessed by authorized IP addresses. This means only the partner site site can use the link.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜