views:

734

answers:

5

Hi there,

I'm trying to figure out how to restrict access to a page unless the page is navigated to from a specific "gate" page. Essentially I want the page to be unaccessible unless you're coming from the page that comes before it in my sitemap. I'm not certain this is even possible. If possible, can you limit your suggestions to using either html or javascript?

Thanks!

+5  A: 

If possible, can you limit your suggestions to using either html or javascript?

No. Because there is no secure way using only these two techniques. Everything that goes on on the client side may be manipulated (trivially easy). If you want to be sure, you have to enforce this on the server side by checking for the REFERER (sic!) header.

Mind, even this can be manipulated.

If you're using Apache with mod_rewrite enabled, the following code will restrict access according to the referring page:

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://www\.example\.com/.*
RewriteRule /* http://www.example.com/access-denied.html [R,L]

EDIT: I just checked the manual … unfortunately, giving a 401 status code isn't possible here. So the above solution isn't perfect because although it blocks access, it doesn't set the HTTP status accordingly. :-/ Leaves a bad taste in my mouth.

Konrad Rudolph
Agreed. Bad Idea Jeans.
Chris Kloberdanz
okay then, what would be the easiest way to do this?
On the server side you could just put some kind of token in the users session and check that on the other page; the referer check is not needed per-se.
Jasper Bekkers
Are you running this on a windows or Linux box? Is ASP and/or PHP installed?
websch01ar
The Symantec security suite and similar remove the request's Referer header. So, anyone using that kind of product will **never** get to the page: no referer != http://www.example.com, therefore response is always 401 Unauthorized
Piskvor
@Piskvor: That's right. Actually, I mostly browse with referrer deactivated anyway. IMHO, automatic referrers are a blatant violation of my privacy.
Konrad Rudolph
A: 

With javascript name a variable called "previous" and set its value to document.referrer. Then execute a condition to determine if the referrer is the proper page, and if not, redirect them

websch01ar
Unfortunately, referrer is trivial to fake; also, some security software erases it completely.
Piskvor
I would tend to agree with you, and would use sessions to get this information. But, I was only trying to express some kind of a solution within the framework outlined.
websch01ar
A: 

What if you encrypted a variable (like the current date) and placed that in the "gate" link. When you arrive at the new page, a script decrypts the variable and if it doesn't match or isn't even there, the script redirects to another page.

Something like:

<a href="restricted.php?pass=eERadWRWE3ad=">Go!</a>

Edit: I don't know JS well enough to print that code but I know there are several libraries out there that can do all the encryption/decryption for you.

Stephen
+4  A: 

The only effective way is to set and check some access token at the server (it is trivial to manipulate any data at the client, therefore plain JS and HTML are not enough; same for the Referer header). A simplified example in PHP:

gate_page.php:

<?php
session_start();
$_SESSION['allowed_access'] = true;
?><a href="protected_page.php">Protected area</a>

protected_page.php:

<?php
session_start();
if (!$_SESSION['allowed_access']) {
    header('Location: gate_page.php');
    echo 'Go through the <a href="gate_page.php">entry page</a> first.';
    exit();
}

// whatever happens to be at the protected page

Of course, it is easy to add some password checking and/or other security elements, this is the bare minimum.

Piskvor
A: 

document.history.previous should give you the URL of the last document in the history object. Otherwise, there's no better way of doing it via HTML and Javascript.

Kon