PHP: How to detect direct requests of external visitors?

StackOverflow https://stackoverflow.com/questions/13895543

Question

I would like to detect/prevent/forward direct requests of external visitors. Some scripts should only be displayed in a jQuery dialog.

My current code:

<script>
$(".dialog").click(function() {
    // some code for validation
    // ...
    $("#dialog").load(this.href).dialog();
});
</script>    

<a href="http://domain.de/path/to/form/" class="dialog">Open me in a dialog</a>

That works fine BUT if I open this link in a new tab/window (e.g. by clicking the middle mouse-button), the form will be displayed "naked".

In this case I would like to forward the user to the refered page, e.g.:

if ($requester != $server) {
    header ("Location: " . $_SERVER["HTTP_REFERER"];
}

How can I detect $requester and $server? I don't want to block every script or a whole directory!

Thanks in advance!

Was it helpful?

Solution

To add to what @Dharman suggested jQuery adds a header to all its ajax request called HTTP_X_REQUESTED_WITH so you could simply check against this header in the $_SERVER global array.

Example:

if($_SERVER['HTTP_REFERER']!=$_SERVER["HTTP_HOST"].$_SERVER["REQUEST_URI"])
{
    // check if the request is ajax 
    if(isset($_SERVER['HTTP_X_REQUESTED_WITH']) &&
          $_SERVER['HTTP_X_REQUESTED_WITH']  == 'XMLHttpRequest' ){
          // ajax content loading
    }

    header ("Location: index.php");
}

OTHER TIPS

if($_SERVER['HTTP_REFERER']!=$_SERVER["HTTP_HOST"].$_SERVER["REQUEST_URI"])
{
    header ("Location: index.php");
}

I have those values coming in on a external request:

[HTTP_HOST] => 104.219.42.237

[HTTP_REFERER] => http:// someurl.com

So, my solution is :

if (strpos($_SERVER['HTTP_REFERER'], $_SERVER['HTTP_HOST']) !== FALSE) {

    echo 'same origin/request';

} else {

   echo 'different origin/request';
}

...

...

...

The Reason that previous solutions did not work !

In My case: $_SERVER['HTTP_REFERER'] == 'http:// someurl.com'

while $_SERVER["HTTP_HOST"] does not contains 'http' nor 'https'

So, 

if($_SERVER['HTTP_REFERER']!=$_SERVER["HTTP_HOST"].$_SERVER["REQUEST_URI"])

won't match

The other answer 

if( $_SERVER['REMOTE_ADDR'] == $your_Server_IP_Address)

will not work on localhost

Yes, you can check the remote address for the IP address of the request sender using $_SERVER['REMOTE_ADDR']. Do it like this:

if( $_SERVER['REMOTE_ADDR'] == $your_Server_IP_Address)
     echo 'From same server';
else
     echo 'from different server';

Another possible idea solution could be to use a nonce:

  • When displaying the form, put a hidden input field in it, containing a random value

  • At the same time, store that random value into the session that correspond to the user.

  • When the form is submitted, check that the hidden field has the same value as the one that's stored in session.

If those two values are not the same, refuse to use the submitted data.

Note : this idea is often used to help fight against CSRF -- and integrated in the "Form" component of some Frameworks (Zend Framework, for instance).

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top