block direct url access to file, but allow the url to be passed via iframe src?

[antonyfal]

please it is very important!!

I have a script (main file is index.php) that is called into an iframe src via an url reference... http://www.xxxx.com/folder/userfolder/folderwithemailname/index.php

works perfectly!!..

 

How can i prevent someone getting direct url access to the file?

if someone were to take the url:    http://www.xxxx.com/folder/userfolder/folderwithemailname/index.php and place it into the address bar, they have access to the file...

 

points to note:

-i have no database for this script,

-the iframe is called directly into a html file,

- i dont know the userfolder or the emailfolder names,

- and the index.php is linked to several other .php and .js and .html files in different folders.... // i can add something like this to these file:(i found this on the net).

Add this to the page that you want to only be included

 

<?php

if(!defined('MyConst'){die('Direct access not premitted');}

?>

 

then on the pages that include it add

 

<?php

define('MyConst', TRUE);

?>

 

this will prevent the files being accessed, but then i cant access the file via the iframe url..

 

please any ideas???

best regards

Tony

 

[Psycho]

you are using a frame for this content, you are not using PHP (or some other server-side technology) that allows you to dynamically control content. Therefore, the snippets of code you have above will not help you. Frames have been discouraged by those knowledgeable in web development for many, many years now. You should really reconsider rebuilding what you have. However, I'm not going to rebuild your site in this post, so I'll try to provide a solution - although it is sort of a hack.

 

On the main page that includes the iframe add a line of PHP code to save a cookie.

setcookie("ShowFile", 1);

 

Do not set an expiration for the cookie. That way it should expire as soon as they close their browser. Then on the page that is loaded ito the iframe, just check if the cookie is set or not

if(isset($_COOKIE['ShowFile'])
{
    echo "You must access this content from the main page.";
}
else
{
    //Show normal content
}

 

Now, this is by no means secure. Someone could get around this if they really wanted to, but it should prevent direct access for the majority of users. Also, anyone could directly load the file IF they have already loaded the main page.

[antonyfal]

ahh thanks a stack. I will give this a try bit later.. it seems plausible

 

I like the fix you gave me, it basically does not matter if the person has loaded the page and then has direct access to the actual file, as by the time the user reaches the iframe there has been a multitude of logins and passwords, and other database security functions, which will make the actual file (in its username folder) the users own  file.. i just didnt want any outsider to be able to access it.. 

 

I was wandering: i have heard before, that an iframe is not encouraged. What would be a better way to load a url into a page? a div? or a javascript frame? or is there another method?..

 

best regards

Tony

 

[antonyfal]

sorry one more thing just occurred to me!! can i make the cookie a variable based on the username? is it possible?

ie: the cookie that is loaded is the name of the user of the profile? that should make it more unique and secure:)..

 

i will test and post..

 

[antonyfal]

hi just posting results from the query above:

 

it took me awhile to discover that the setting cookie above was a javascript code .

 

but here is my final post:

i used this code to post the cookie, i used this on a html page:

// i did use a variable of the usersname instead of the "1" below.. but for the purpose of the reply i just posted the "1" value

 

<script language="javascript">

document.cookie = "letsChat= 1;"

</script>

 

then on the php page i posted this code:

// this code checks if the cookie is available, if there is no cookie redirects the user to your main domain: ie: www.xxxxx.com

<?php

if(!isset($_COOKIE['letsChat']))

{

        $url2 = $_SERVER['HTTP_HOST'];

        $myurls = 'http://'.$url2.'/';

echo "<META HTTP-EQUIV=Refresh CONTENT=\"0;URL=$myurls\">"; }

else

{   

what ever here // your normal page can go in here.

}

?>

 

// javascript version for html page, below is an example of how i used it for Div's..

 

<script type="text/javascript">

function checkCookie() {

//check if cookie includes "letsChat"

if (document.cookie.indexOf("letsChat")!=-1) {

//if it does (not false), display what you want here, could be redirect or div or page

 

}

else { if it doesnot exist place what you want here..

}

</script>

 

// here is a javascript version for html to html pages, this took me a little work to figure out, so i know it will help someone  . .  i used this to check for a cookie, if the cookie exists show a div, if it does not exist show another different div.

 

<script type="text/javascript">

function checkCookie() {

//establish DIV object to manipulate

onlineDiv=document.getElementById("online");

offlineDiv=document.getElementById("offline");

//check if cookie includes "letsChat"

if (document.cookie.indexOf("letsChat")!=-1) {

//if it does (not false), display the DIV object

onlineDiv.style.display="block";

offlineDiv.style.display="none";

}

else {

onlineDiv.style.display="none";

offlineDiv.style.display="block";

}

}

</script>

<body>

<!-- Here's the "content" DIV element

It doesn't display until the cookie is set -->

<div id="online" style="display:none">online here..</div>

<!-- Here's the "menu" DIV element -->

<div id="offline" style="display:none">offline here...</div>

<script type="text/javascript">

//check for the cookie and display DIV or set cookie

checkCookie();

</script>

</body>

 

// hope you can find this useful..

and thanks for all the help i got.