468,740 Members | 1,918 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 468,740 developers. It's quick & easy.

restricting direct access to popup form--advice needed

I have a popup window (required by the client) containing a form and would
like to prevent users from accessing it directly. They are instead required
to access the page via a hyperlink on another page. HTTP_REFERER, while not
completely reliable, would serve the purpose except for another problem. The
hyperlink points to a JavaScript function which opens the popup. This yields
HTTP_REFERER worthless. My other thought was to create a session_id and pass
it to the popup. However this session_id would not be valid in the new popup
window.

Bottom line, I need to validate the user to insure they are accessing the
page through the "front door".

All comments/suggestion appreciated.

Thanks.
Jul 17 '05 #1
2 2426
"Xenophobe" wrote:
I have a popup window (required by the client) containing a form and would
like to prevent users from accessing it directly. They are instead
required
to access the page via a hyperlink on another page. HTTP_REFERER,
while not
completely reliable, would serve the purpose except for another
problem. The
hyperlink points to a JavaScript function which opens the popup. This yields
HTTP_REFERER worthless. My other thought was to create a session_id
and pass
it to the popup. However this session_id would not be valid in the new popup
window.

Bottom line, I need to validate the user to insure they are accessing the
page through the "front door".

All comments/suggestion appreciated.

Thanks.


Take some server variables known to all scripts and pass them via url.

E.g. do an md5( $_SERVER[’REMOTE_ADDR’] . $_SERVER[’SERVER_NAME’]);

and pass that via URL. Now the popped script can also do an md5 and
compare. This md5’ed string would be unique for each user (due to
IP).
If you want them to do the form, say within 10 minutes, add some
timing info to the above as well.

--
http://www.dbForumz.com/ This article was posted by author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.dbForumz.com/PHP-restrict...ict135858.html
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.dbForumz.com/eform.php?p=454421
Jul 17 '05 #2
Because the use of existing client side JavaScript passing values via the
URL isn't practical. However, it turns out using session variables works
perfectly fine once they're set correctly and the state is managed
correctly.

"steve" <Us************@dbForumz.com> wrote in message
news:41**********@news.athenanews.com...
"Xenophobe" wrote:
> I have a popup window (required by the client) containing a form and
> would
> like to prevent users from accessing it directly. They are instead
> required
> to access the page via a hyperlink on another page. HTTP_REFERER,
> while not
> completely reliable, would serve the purpose except for another
> problem. The
> hyperlink points to a JavaScript function which opens the popup.

This
> yields
> HTTP_REFERER worthless. My other thought was to create a session_id
> and pass
> it to the popup. However this session_id would not be valid in the

new
> popup
> window.
>
> Bottom line, I need to validate the user to insure they are

accessing
> the
> page through the "front door".
>
> All comments/suggestion appreciated.
>
> Thanks.


Take some server variables known to all scripts and pass them via url.

E.g. do an md5( $_SERVER['REMOTE_ADDR'] . $_SERVER['SERVER_NAME']);

and pass that via URL. Now the popped script can also do an md5 and
compare. This md5'ed string would be unique for each user (due to
IP).
If you want them to do the form, say within 10 minutes, add some
timing info to the above as well.

--
http://www.dbForumz.com/ This article was posted by author's request
Articles individually checked for conformance to usenet standards
Topic URL:

http://www.dbForumz.com/PHP-restrict...ict135858.html Visit Topic URL to contact author (reg. req'd). Report abuse:

http://www.dbForumz.com/eform.php?p=454421
Jul 17 '05 #3

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

reply views Thread by Bob Avallone | last post: by
3 posts views Thread by Carlos Villaseñor M. | last post: by
2 posts views Thread by sant.tarun | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.