restricting direct access to popup form--advice needed

Re: restricting direct access to popup form--advice needed

"Xenophobe" wrote:[color=blue]
> I have a popup window (required by the client) containing a form[/color]
and[color=blue]
> would
> like to prevent users from accessing it directly. They are instead
> required
> to access the page via a hyperlink on another page. HTTP_REFERER,
> while not
> completely reliable, would serve the purpose except for another
> problem. The
> hyperlink points to a JavaScript function which opens the popup.[/color]
This[color=blue]
> yields
> HTTP_REFERER worthless. My other thought was to create a session_id
> and pass
> it to the popup. However this session_id would not be valid in the[/color]
new[color=blue]
> popup
> window.
>
> Bottom line, I need to validate the user to insure they are[/color]
accessing[color=blue]
> the
> page through the "front door".
>
> All comments/suggestion appreciated.
>
> Thanks.[/color]

Take some server variables known to all scripts and pass them via url.

E.g. do an md5( $_SERVER[’REMOTE_ADDR’] . $_SERVER[’SERVER_NAME’]);

and pass that via URL. Now the popped script can also do an md5 and
compare. This md5’ed string would be unique for each user (due to
IP).
If you want them to do the form, say within 10 minutes, add some
timing info to the above as well.

--
http://www.dbForumz.com/ This article was posted by author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.dbForumz.com/PHP-restrict...ict135858.html
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.dbForumz.com/eform.php?p=454421

Re: restricting direct access to popup form--advice needed

Because the use of existing client side JavaScript passing values via the
URL isn't practical. However, it turns out using session variables works
perfectly fine once they're set correctly and the state is managed
correctly.

"steve" <UseLinkToEmail @dbForumz.com> wrote in message
news:410fc8c8$1 _5@news.athenan ews.com...[color=blue]
> "Xenophobe" wrote:[color=green]
> > I have a popup window (required by the client) containing a form[/color]
> and[color=green]
> > would
> > like to prevent users from accessing it directly. They are instead
> > required
> > to access the page via a hyperlink on another page. HTTP_REFERER,
> > while not
> > completely reliable, would serve the purpose except for another
> > problem. The
> > hyperlink points to a JavaScript function which opens the popup.[/color]
> This[color=green]
> > yields
> > HTTP_REFERER worthless. My other thought was to create a session_id
> > and pass
> > it to the popup. However this session_id would not be valid in the[/color]
> new[color=green]
> > popup
> > window.
> >
> > Bottom line, I need to validate the user to insure they are[/color]
> accessing[color=green]
> > the
> > page through the "front door".
> >
> > All comments/suggestion appreciated.
> >
> > Thanks.[/color]
>
> Take some server variables known to all scripts and pass them via url.
>
> E.g. do an md5( $_SERVER['REMOTE_ADDR'] . $_SERVER['SERVER_NAME']);
>
> and pass that via URL. Now the popped script can also do an md5 and
> compare. This md5'ed string would be unique for each user (due to
> IP).
> If you want them to do the form, say within 10 minutes, add some
> timing info to the above as well.
>
> --
> http://www.dbForumz.com/ This article was posted by author's request
> Articles individually checked for conformance to usenet standards
> Topic URL:[/color]
http://www.dbForumz.com/PHP-restrict...ict135858.html[color=blue]
> Visit Topic URL to contact author (reg. req'd). Report abuse:[/color]