restrict access to page to only be allowed from a certain page

Question

This question is similar to the one i asked here. But its related because I want to achieve the same effect. I want the users to be restricted to only accessing other pages on the site through the main page. The first page contains a frame for navigation and then a frame for content of the page they navigate to. I want it to be setup so that the only way they can access the content pages is by using this main page. So if the main page is http://intranet/index.html then they cannot get to http://intranet/other_page.html without using the link provided in index.html. Is this possible and if so what would the best technique be? I'm using apache to serve the site and I have php and javascript available.

Answer 1

Check the Referer request header - it will thwart casual users with their browsers. It can be spoofed though - you won't fool a determined attacker.

False positives are possible though. Sometimes Referer is not set.

Answer 2

That short answer is - no, it's not possibly, strictly speaking.

The long answer is that yes, you can probably come up with a reasonable approximation of this, but you do need to be aware of the limitations.

Fundamentally, HTTP is stateless. No matter what specific actions occur, your webserver will see a single request for /other_page.html and will need to decide whether to serve it or not. In order to have some kind of reasonable limitation, the first step is that you will have to have some way of maintaining server-side state. Without this you cannot match up any incoming request for other_page.html with previous requests. The good news is that PHP does have native support for server-side sessions.

(Without server-side sessions you could try to achieve this with client-side session cookies, or inspecting the referrer header, but then it's trivial for the clients to fake as these are just strings that they send you and you accept their word for it).

Now, you'd need to use this session to track whether a user has been to the first page before going to the other page - you could set a variable in the session when the first page is requested, and on every request for /other_page.html, ensure that this variable is set in the session before serving it. That at the very least gives you a reasonable idea that they have visited the first page in the current session.

However you have absolutely no way of knowing what link was clicked in the browser to request a particular URL - or even whether a browser was involved at all. All your server sees is a request for a particular resource along with some headers. One way to potentially simulate this is to generate a random string when /index.html is served, and add this as a query parameter to the link on that page. Then store it in the session, and when other_page is asked for check that the request includes a query parameter with the same random string.

---

But at this point it's time to take a step back and say - why do you want to do this? I can think of no good reason at all why this would be done. It is not an appropriate security measure - you'd need to do security properly, and if that's your motivation you should have asked for it. It's not a good method of enforcing a particular workflow on visitors either - whether this is a good idea at all is debatable, but instead of thinking of how to force people to go to page A before page B, think about exactly why it is you need them to do that, what your limiting factors are, and what's the least intrusive way of achieving them.

Don't forget - http://intranet/other_page.html is a Uniform Resource Locator that corresponds to the content you're serving from that page. If someone visits that address one day and sees a useful resource, why on earth should they not be allowed to see it again when they go back? I strongly recommend that you think about why you want to deliberately handicap your users' experiences, and go against the general way that the internet works, with your site.