How can I protect my website content from being accessed by cURL?

Question

I have a website that requires users to log in before accessing the content. On each protected page, I use this code, which works fine when accessed from a browser:

// check if they are logged in
if (!isset($_SESSION['valid_user'])) {
    header('Location: ./login.php');
}

// functions to display the page
display_page();

The problem is that if I access the page using cURL, the redirect doesn't happen and the content is returned. This concerns me... what can I do?

I tried adding else if(isset($_SESSION['valid_user'])){//display page} but that didn't work.

Answer 1

In its present state you send a header to redirect the user to the loginpage, but you still serve up the page content. Just stop doing that, like this:

// check if they are logged in
if (!isset($_SESSION['valid_user'])) {
    header('Location: ./login.php');
    // and get out of here if they aren't
    exit();
}
// OK, they're logged in, let them see some content
// functions to display the page
display_page();

or

// check if they are logged in
if (!isset($_SESSION['valid_user'])) {
    header('Location: ./login.php');
    // and get out of here if they aren't
} else {
   // OK, they're logged in, let them see some content
   // functions to display the page
   display_page();
}

Answer 2

Protecting your website from being accessed by curl is, to my knowledge, not possible. curl can come up with any kind of faked browser identification. Aside from that, no server can safely know if the requests are not coming from a browser.

If you, however, want curl to react to the headers, try this:

curl_setopt($curl_handle, CURLOPT_FOLLOWLOCATION, 1);

From the docs:

TRUE to follow any "Location: " header that the server sends as part of the HTTP header (note this is recursive, PHP will follow as many "Location: " headers that it is sent, unless CURLOPT_MAXREDIRS is set).

See the PHP doc for further details