How do I only accept requests in my server that is redirected from some specific servers

Question

I have a front-end server that has information of various things that users can download and some back-end servers that has those files. When a user click on the download link of a file they redirected to the back-end server that has those files.

Now I want to accept request in my back-end server if and only if the request is redirected from the front-end server, so that users cannot access the back-end server directly.

Is there any way to do this ? Please help me!

Thank You

Answer 1

   if(isset($_SERVER['HTTP_REFERER']) && ($_SERVER['HTTP_REFERER']=='yoursite.com' ) {

    }

'HTTP_REFERER' - The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted ( source ).

Answer 2

The problem is that when your front-end server redirects user to your back-end server it does it "through the user".

That is, "www.front-end.com" tells the user to assign her HTTP referer header field a value "www.front-end.com" and then to send this HTTP request to the "www.back-end.com". Smart user can modify her headers and trick your system.

For your case you should do some more work and implement something that Rapidshare or Megaupload or most other filehostings do.

One of the ideas might be following: the front-end generates a secret random string ("$ticket"). It then communicates it to the back-end (via curl or directly) asking to store it into the back-end's db. Then the front-end redirects the user in the following way:

header("Location: http://www.back-end.com/index.php?ticket=$ticket");

The back-end compares the ticket and lets user in.

You need also some guard against misusing it like invalidating tickets after some period of time.