xoops forums

DJ007

Just popping in
Posted on: 2005/9/19 18:26
DJ007
DJ007 (Show more)
Just popping in
Posts: 61
Since: 2004/2/15
#1

How to limit reg page access using http referer?

Hi,

I'd like to know if I can limit access to the registration page unless it is accessed from certain referers, ie paypal or 2co etc.

I went thru the reg.php page, but didn't see anything obvious, not a coder , but have learned enough to figure some stuff out. Any pointers or help would be much appreciated.

Thanks,
David.
.........
Posted on: 2005/9/19 19:12
ackbarr
ackbarr (Show more)
Posts: 1449
Since: 2002/10/2
#2

Re: How to limit reg page access using http referer?

Add this code somewhere at the beginning of register.php maybe after:
if (empty($xoopsConfigUser['allow_register'])) {
    
redirect_header('index.php'6_US_NOREGISTER);
    exit();
}


//List of allowed domain referrals seperated by comma
$allowed_domains = array('www.domain1.com''www.domain2.com');

//Was HTTP_REFERER set by browser?
if ($_SERVER['HTTP_REFERER']) {
  
$ref_info parse_url($_SERVER['HTTP_REFERER']);

  
//Check that REFERER is in the list of allowed domains
  
if (! in_array($ref_info['host'], $allowed_domains)) {
    
redirect_header('index.php'4'Invalid HTTP_REFERER host');
    exit();
  }

} else {
  
// HTTP_REFERER was not sent by browser, display error
  
redirect_header('index.php'4'HTTP_REFERER not sent by browser');
  exit();
}

Many software firewalls will strip the HTTP_REFERER field from the page request, making this protection spotty at best. In addition you'll probably want to change the error messages in to something more user friendly.
Site Hosting - PlanetXoops

DJ007

Just popping in
Posted on: 2005/9/19 20:37
DJ007
DJ007 (Show more)
Just popping in
Posts: 61
Since: 2004/2/15
#3

Re: How to limit reg page access using http referer?

Hi ackbarr,

Thanks for the assist, I made the change and got this

Parse error: parse error, unexpected '{' in /public_html/xoops/register.php on line 49

This is line 49 with the added code; Quote:
if (! in_array($ref_info['host'], $allowed_domains) {



Is it just a matter of deleting that { on the end?
Any ideas?
David.
.........
Posted on: 2005/9/19 20:39
ackbarr
ackbarr (Show more)
Posts: 1449
Since: 2002/10/2
#4

Re: How to limit reg page access using http referer?

it was missing a ) on that line, I've fixed the original code.
Site Hosting - PlanetXoops

DJ007

Just popping in
Posted on: 2005/9/19 20:55
DJ007
DJ007 (Show more)
Just popping in
Posts: 61
Since: 2004/2/15
#5

Re: How to limit reg page access using http referer?

Thanks,

The redirect works great now, only prob is it also denies from domains on the list...

David
.........
Posted on: 2005/9/19 21:18
ackbarr
ackbarr (Show more)
Posts: 1449
Since: 2002/10/2
#6

Re: How to limit reg page access using http referer?

the only reason it would do that is if in_array is false, change the code to add the following debugging line:

//List of allowed domain referrals seperated by comma
$allowed_domains = array('www.domain1.com''www.domain2.com');

//Was HTTP_REFERER set by browser?
if ($_SERVER['HTTP_REFERER']) {
  
$ref_info parse_url($_SERVER['HTTP_REFERER']);
  [
color=008000][b]print_r($ref_info);[/b][/color]
  
//Check that REFERER is in the list of allowed domains
  
if (! in_array($ref_info['host'], $allowed_domains)) {
    
redirect_header('index.php'4'Invalid HTTP_REFERER host');
    exit();
  }

} else {
  
// HTTP_REFERER was not sent by browser, display error
  
redirect_header('index.php'4'HTTP_REFERER not sent by browser');
  exit();
}


Check that the value for $ref_info['host'] is in the list of allowed domains. Once done that debugging line can be removed.
Site Hosting - PlanetXoops

DJ007

Just popping in
Posted on: 2005/9/19 22:00
DJ007
DJ007 (Show more)
Just popping in
Posts: 61
Since: 2004/2/15
#7

Re: How to limit reg page access using http referer?

No change, even went so far as to shut off zone alarm to see if it was interfering, no difference. Even added the https:// to the allowed domains, nope....

Must be a way to accomplish this one way or another,
Thanks for trying tho'
David.
.........