HTTP_REFERER困境:只有当访问者事先访问过另一个特定页面时,我才能允许访问特定页面?
[英]HTTP_REFERER woes: How can I allow access to a specific page, only when a visitor has visited another specific page beforehand?
问题描述
PHP newbie here, struggling like crazy to get his head around how to go about implementing a HTTP_REFERER-based security feature into my woefully inept downloads system. 
PHP新手在这里疯狂地挣扎着如何在我糟糕的下载系统中实现基于HTTP_REFERER的安全功能。
Basically, I have it where my file download pages have a specific string appended to the end of the URL, this specific string being: 基本上,我有它在我的文件下载页面有一个特定的字符串附加到URL的末尾,这个特定的字符串是:
?thanks
If that is visible in the URL, then users will be able to download the file situated on it. 如果在URL中可以看到,那么用户将能够下载位于其上的文件。 It works great, but it's easy to 'unlock' a page by simply adding the '?thanks' part onto the URL themselves. 它的效果很好,但只需在URL本身上添加“?thanks”部分即可轻松“解锁”页面。 Effectively allowing users to bypass my clumsy security and access my premium files with ease. 有效地允许用户绕过我笨拙的安全性并轻松访问我的高级文件。
If possible, I'd like to add a security measure whereby anyone attempting to access a page containing the string '?thanks' that did not previously arrive from a page containing '?pending' be redirected to the homepage. 如果可能的话,我想添加一个安全措施,任何试图访问包含以前没有从包含'?pending'的页面到达的字符串'?thanks'的页面的人都被重定向到主页。 That would make for the perfect solution for me. 这将为我提供完美的解决方案。
Just for clarity, the typical pre-download process goes like this: 为清楚起见,典型的预下载过程如下:
- User visits download page: [website]/download/page/123/ 用户访问下载页面:[网站] / download / page / 123 /
- User completes Recaptcha, gets redirected to here: [website]/download/page/123/?pending 用户完成Recaptcha,被重定向到这里:[website] / download / page / 123 /?pending
- User fills in details, gets redirected to here: [website]/download/page/123/?thanks 用户填写详细信息,重定向到这里:[网站] / download / page / 123 /?谢谢
- User receives their file 用户收到他们的文件
Long-winded, yes, but it would be more than ideal for my unusual requirements. 啰嗦,是的,但对于我不寻常的要求来说,这将是非常理想的。 I also know that users can likely get around this by first appending '?pending' to the URL and then appending '?thanks' afterwards, but it still really, really would help to no end. 我也知道用户可以通过首先在URL上附加'?pending'然后追加'?thanks'来解决这个问题,但它仍然真的,真的会有所帮助。
So, StackOverflow, can any of you wizened and kindly coders help a fledgling web designer out? 那么,StackOverflow,你们中的任何一个人都可以干嘛和善良的程序员帮助一个初出茅庐的网页设计师吗? I thank you for any and all help. 我感谢你的帮助。 Cheers guys. 干杯伙计们。
Edit: Oh, and here's one failed method that was last attempted but bombed horribly, just in case it helps further illustrate my goal: 编辑:哦,这是一个失败的方法,最后一次尝试,但轰炸可怕,以防万一它有助于进一步说明我的目标:
if (('http://'.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'] == wp_get_shortlink().'?thanks') && (isset($_SERVER['HTTP_REFERER']) && preg_match("/".preg_quote('?pending',"/")."/i",$_SERVER['HTTP_REFERER']))) {
echo 'Hurrah!';
} else {
echo 'Oh dear.';
}
2 个解决方案
解决方案1
2 2013-04-05 10:00:13
If it all just depends on information in the request itself , there's no way to enforce what you're trying to do. 如果这一切只取决于请求本身的信息 ,那么就没有办法强制执行你想要做的事情。 A referer is also just an arbitrary request header . 引用者也只是一个任意请求头 。
What you need is actual server side state . 你需要的是实际的服务器端状态 。 Open a session for the user, give the process he's going through some random unique id which is carried across each page in the process and save the progress and messages to be displayed next in the session. 为用户打开一个会话,给出他正在经历一个随机唯一ID的过程,该ID在过程中的每个页面上传送,并保存会话中接下来要显示的进度和消息。
解决方案2
1 2013-04-05 10:03:30
There is no such thing like "HTTP_REFERER-based security". 没有像“基于HTTP_REFERER的安全性”这样的东西。 That's oxymoron. 这是矛盾的。
For security in general you have to use SESSION. 为了安全起见,您必须使用SESSION。 And in your particular case it seems the best fit too: just store in the session the fact that whatever page was visited and then check that value on whatever else page 在您的特定情况下,它似乎也是最合适的:只需在会话中存储访问任何页面的事实,然后在其他任何页面上检查该值
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.