Restrict Access

Mike Henson · #1 Sep 6th, 2007, 20:30

I'm assuming that if this can be resolved it will be by Javascript.

What I need to do is really quite bizarre; I want to restrict access to a website but NOT by using a login process.

I'd like to use Javascript's facility to see the referrer and only allow access to the site from people coming from URL's that are pre-defined.

Can anyone crack this one or point me in the right direction?

Kind regards

Mike

alexgeek · #2 Sep 6th, 2007, 21:21

can you elaborate on predefined URLs
are you talking about a password in the url
something like
http://www.blabla.com/user?password=pass

hard to tell what you mean

Mike Henson · #3 Sep 6th, 2007, 21:50

Hello Alex

I wasn't thinking of using a password in the URL, just the fact that the user has arrived from a specific site / URL.

I will not have access to some of the sites / URL's that are allowed access so having a specific link created with an integral password would cause complications.

Incidentally, the actual referring page should be discarded for the purpose of this exercise so a referring URL of abc.com/link.html should be seen as just abc.com

The javascript in the web page has been told that abc.com, def.com and ghi.com are all OK so it looks at the referer and allows those to proceed but if the referrer is from abc.co.uk (for example) or there is no referrer then entry is refused and the enquiry redirected elsewhere.

I hope this clarifies my query?

alexgeek · #4 Sep 6th, 2007, 21:58

ah yeah.
i know what your on about and i'm sure it's possible (not very secure though).
i'll have a look about,
but hopefully someone else will find this for you first

Mike Henson · #5 Sep 6th, 2007, 22:09

Hi Alex

What makes you say it "not very secure"?

Kind regards

Mike

alexgeek · #6 Sep 6th, 2007, 22:14

for starters javascript can be turned off.
and there are work around to make it seem as though you came from somewhere but really didn't

Mike Henson · #7 Sep 6th, 2007, 22:24

Hi Alex

If the user has Javascript turned off then they won't be able to access the site; they're problem, not mine.

Reality is that the type of person who would want to access this site is atypical middle class who wouldn't know how to forge their location even if they had the inclination.

Kind regards

Mike

alexgeek · #8 Sep 6th, 2007, 23:08

if they turn off JS, then the code preventing them from accessing the site will be disabled therefore they can access the site
have you considered server side scripting like PHP?

karinne · #9 Sep 6th, 2007, 23:39

I would still opt for a server-side solutions instead. JS is just not dependable enough for that. What is users are browsing your site with a text-browser like Lynx?

Mike Henson · #10 Sep 7th, 2007, 11:53

Hi Karinne
I'm open to any and all suggestions. How do I do it?

In the meanwhile I have found this script:

Code: Select all

<!-- Begin
var refarray = new Array();
refarray['excite.com'] = &quot;page.html?from=excite&quot;;
refarray['yahoo.com'] = &quot;page.html?from=yahoo&quot;;
refarray['lycos.com'] = &quot;page.html?from=lycos&quot;;
refarray['infoseek.com'] = &quot;page.html?from=infoseek&quot;;
for (var i in refarray) {
if (document.referrer.indexOf(i) != -1) window.location.replace(refarray[i]);
}
//  End -->

Unfortunately it will only forward to a different page at the same URL so if you land on abc.com/index.html from excite.com it will forward you to abc.com/page.html

Can anyone tell me how to make it forward to xyz.com/page.html?

Thanks and regards

Mike

Rakuli · #11 Sep 7th, 2007, 17:25

Quote:

Originally Posted by Mike Henson

Hi Karinne
I'm open to any and all suggestions. How do I do it?

I'm not sure whether this answer requires this thread to be moved to the PHP forum but you could achieve this more reliably with the huble hypertext processor.

Assumption: Your server supports >= PHP 4.1

PHP: Select all


<?php
 
$okReferers = array(
 
'excite.com',
'yahoo.com',
'etc');
 
// Make sure they aren't trying to trick us with the query string
$referer = explode('?', $_SERVER['HTTP_REFERER']);
 
// Now remove the path
$referer = str_ireplace('http://', $referer[0]);
$referer = explode('/', $referer);
 
// Now we'll see if their allowed
 
foreach ($okReferers as $ref) {
     if (stripos($referer[0], $ref))
{
     header('Location: http://theurltheycansee');
     exit();
}
// They not allowed
    header('Location:http://thenahnahurl');
 
?>

This is a very rudimentary script but should work so you can check the domain they are arriving from but beware this quote from PHP.net

Quote:

Originally Posted by PHP.net

'HTTP_REFERER' The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.

The script would become more complicated it you wanted to check specific pages from given domains but it shouldn't take you long to set up what you're after and all the concerns above about Javascript would be eliminated.

Cheers,

Luke.

karinne · #12 Sep 7th, 2007, 17:32

Quote:

Originally Posted by Rakuli

I'm not sure whether this answer requires this thread to be moved to the PHP forum but you could achieve this more reliably with the huble hypertext processor.

I'll just wait and see what the OP wants

Mike Henson · #13 Sep 8th, 2007, 00:31

It would seem that neither method is foolproof but is one better than the other or is there an alternative solution?

alexgeek · #14 Sep 8th, 2007, 00:51

PHP is much better than javascript in this case.
with the JS case, all the user does is disbale javascript (all browsers have this option)
with php they have to modify header information using special programs which may take a few hours to work out.
I think

Mike Henson · #15 Sep 8th, 2007, 10:47

In his previous post Rakuli quotes:

"Originally Posted by PHP.net
'HTTP_REFERER' The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted."

This would seem to indicate that Javascript is the best option because at least the user controls whether JS is on or not and it's easy for me to place a note on the landing page that JS needs to be enabled.

However, I've been trawling through my website logs (over 30 sites) and I cannot find one that indicates JS is off.

I thinks as techies we can get tied up in detail when the man in the street doesn't even know how to setup a new email account in Outlook Express or the existence of Windows Update.

Regards to all

Mike

PS. Many thanks to Rakuli for posting the php code.

alexgeek · #16 Sep 8th, 2007, 14:32

I really don't think he should switch to php.

seanmiller · #17 Sep 10th, 2007, 09:46

Personally I'd trust php over javascript any day... there are various reasons, one of which (of course) is that the code isn't exposed to the world in the way it is with Javascript... I'd think exposing your code to the world makes it *far* more likely that somebody would succeed in hacking their way in... after all, they can see which URLs they're required to come from just by viewing the source... not with php they can't... if they don't know which URLs are accepted, how are they going to know what to put in their hack?

Sean

seanmiller · #18 Sep 10th, 2007, 09:47

Quote:

Originally Posted by alexgeek

I really don't think he should switch to php.

I think that came out wrong... unless you've had a serious change of mind ;-)

Sean

		Webforumz.com > Main Forums > Program Your Website > JavaScript Forum
Restrict Access