473,322 Members | 1,421 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,322 software developers and data experts.

restricting direct access to popup form--advice needed

I have a popup window (required by the client) containing a form and would
like to prevent users from accessing it directly. They are instead required
to access the page via a hyperlink on another page. HTTP_REFERER, while not
completely reliable, would serve the purpose except for another problem. The
hyperlink points to a JavaScript function which opens the popup. This yields
HTTP_REFERER worthless. My other thought was to create a session_id and pass
it to the popup. However this session_id would not be valid in the new popup
window.

Bottom line, I need to validate the user to insure they are accessing the
page through the "front door".

All comments/suggestion appreciated.

Thanks.
Jul 17 '05 #1
2 2685
"Xenophobe" wrote:
I have a popup window (required by the client) containing a form and would
like to prevent users from accessing it directly. They are instead
required
to access the page via a hyperlink on another page. HTTP_REFERER,
while not
completely reliable, would serve the purpose except for another
problem. The
hyperlink points to a JavaScript function which opens the popup. This yields
HTTP_REFERER worthless. My other thought was to create a session_id
and pass
it to the popup. However this session_id would not be valid in the new popup
window.

Bottom line, I need to validate the user to insure they are accessing the
page through the "front door".

All comments/suggestion appreciated.

Thanks.


Take some server variables known to all scripts and pass them via url.

E.g. do an md5( $_SERVER[’REMOTE_ADDR’] . $_SERVER[’SERVER_NAME’]);

and pass that via URL. Now the popped script can also do an md5 and
compare. This md5’ed string would be unique for each user (due to
IP).
If you want them to do the form, say within 10 minutes, add some
timing info to the above as well.

--
http://www.dbForumz.com/ This article was posted by author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.dbForumz.com/PHP-restrict...ict135858.html
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.dbForumz.com/eform.php?p=454421
Jul 17 '05 #2
Because the use of existing client side JavaScript passing values via the
URL isn't practical. However, it turns out using session variables works
perfectly fine once they're set correctly and the state is managed
correctly.

"steve" <Us************@dbForumz.com> wrote in message
news:41**********@news.athenanews.com...
"Xenophobe" wrote:
> I have a popup window (required by the client) containing a form and
> would
> like to prevent users from accessing it directly. They are instead
> required
> to access the page via a hyperlink on another page. HTTP_REFERER,
> while not
> completely reliable, would serve the purpose except for another
> problem. The
> hyperlink points to a JavaScript function which opens the popup.

This
> yields
> HTTP_REFERER worthless. My other thought was to create a session_id
> and pass
> it to the popup. However this session_id would not be valid in the

new
> popup
> window.
>
> Bottom line, I need to validate the user to insure they are

accessing
> the
> page through the "front door".
>
> All comments/suggestion appreciated.
>
> Thanks.


Take some server variables known to all scripts and pass them via url.

E.g. do an md5( $_SERVER['REMOTE_ADDR'] . $_SERVER['SERVER_NAME']);

and pass that via URL. Now the popped script can also do an md5 and
compare. This md5'ed string would be unique for each user (due to
IP).
If you want them to do the form, say within 10 minutes, add some
timing info to the above as well.

--
http://www.dbForumz.com/ This article was posted by author's request
Articles individually checked for conformance to usenet standards
Topic URL:

http://www.dbForumz.com/PHP-restrict...ict135858.html Visit Topic URL to contact author (reg. req'd). Report abuse:

http://www.dbForumz.com/eform.php?p=454421
Jul 17 '05 #3

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

3
by: Chuck | last post by:
Here is my setup. Netgear Router with a webserver and database server NAT'd behind the firewall. Microsoft Windows 2000, IIS 5 - Web Server Microsoft Windows 2000, MySQL - Database Server ...
12
by: CJM | last post by:
I'm setting up some web-based (ASP) reports that query an Access DB. I also want certain people to be able to access and manipulate the database directly. However, if the database is open in...
0
by: Sharon | last post by:
I'm working with a Frame Grabber that need a buffer (like a C/C++ buffer: byte* pBytes = new bytes), this buffer must be continuous for the frame grabber to access any part of it directly and not...
0
by: Bob Avallone | last post by:
MetaPro Systems Inc. Visual Studio Dot Net Tips & Tricks #3 – Direct Access to Your Outlook Address Book. Project Type: VS.NET Windows Application Code Behind: Visual Basic I have a project...
2
by: bill | last post by:
I am using vb.net and SQL Server 2000. Hopefully i will soon be using VB.net 2005. I would like to prevent users from having direct access to a SQL Server database, and require them to access...
4
by: Bo Peng | last post by:
Dear list, I am looking for a way to store a large amount of unique sequences that will be accessed by objects. The most important operations are: 1. Direct access to the sequences (from...
3
by: Carlos Villaseñor M. | last post by:
Hi everybody! At this time I'm developing my first vusual C#.Net application, and at the same time I making the "Setup and Deployment" project to install that application in another computer,...
0
by: Ken Fine | last post by:
Short version: I want to know how in ASP.NET I could bar direct http access to some files in a directory that match a pattern, but not others. An alternate solution would be to bar all direct http...
2
by: sant.tarun | last post by:
Hi, I am facing some some problem in restricting the access of a variable.... My question is described below..... Let I have two different C source files 'a.c' and 'b.c'. In the file 'a.c'...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
1
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.