HTTP_REFERER woes: How can I allow access to a specific page, only when a visitor has visited another specific page beforehand?

Question

PHP newbie here, struggling like crazy to get his head around how to go about implementing a HTTP_REFERER-based security feature into my woefully inept downloads system.

Basically, I have it where my file download pages have a specific string appended to the end of the URL, this specific string being:

?thanks

If that is visible in the URL, then users will be able to download the file situated on it. It works great, but it's easy to 'unlock' a page by simply adding the '?thanks' part onto the URL themselves. Effectively allowing users to bypass my clumsy security and access my premium files with ease.

If possible, I'd like to add a security measure whereby anyone attempting to access a page containing the string '?thanks' that did not previously arrive from a page containing '?pending' be redirected to the homepage. That would make for the perfect solution for me.

Just for clarity, the typical pre-download process goes like this:

• User visits download page: [website]/download/page/123/
• User completes Recaptcha, gets redirected to here: [website]/download/page/123/?pending
• User fills in details, gets redirected to here: [website]/download/page/123/?thanks
• User receives their file

Long-winded, yes, but it would be more than ideal for my unusual requirements. I also know that users can likely get around this by first appending '?pending' to the URL and then appending '?thanks' afterwards, but it still really, really would help to no end.

So, StackOverflow, can any of you wizened and kindly coders help a fledgling web designer out? I thank you for any and all help. Cheers guys.

Edit: Oh, and here's one failed method that was last attempted but bombed horribly, just in case it helps further illustrate my goal:

if (('http://'.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'] == wp_get_shortlink().'?thanks') && (isset($_SERVER['HTTP_REFERER']) && preg_match("/".preg_quote('?pending',"/")."/i",$_SERVER['HTTP_REFERER']))) {
    echo 'Hurrah!';
} else {
    echo 'Oh dear.';
}

Answer 1

If it all just depends on information in the request itself , there's no way to enforce what you're trying to do. A referer is also just an arbitrary request header .

What you need is actual server side state . Open a session for the user, give the process he's going through some random unique id which is carried across each page in the process and save the progress and messages to be displayed next in the session.

Answer 2

There is no such thing like "HTTP_REFERER-based security". That's oxymoron.

For security in general you have to use SESSION. And in your particular case it seems the best fit too: just store in the session the fact that whatever page was visited and then check that value on whatever else page