IE8 和 HTTP_REFERER
我想仅允许从给定页面(用户必须输入密码)访问特定页面。禁止在浏览器的 URL 字段中直接输入 URL。
我编写了以下代码:
<?php
// only allow access through front door
$from = getenv("HTTP_REFERER");
if ($from != "http://www.mysite.net/password.php")
include("http://www.mysite.net/secret_nok_tgpxFC6phBRLw1Wh.php");
else
include("http://www.mysite.net/secret_ok_tgpxFC6phBRLw1Wh.php");
?>
这在 Firefox 中运行良好,但即使在 URL 字段中输入 URL,IE8 也会打开页面。我该如何解决这个问题?还有,我的做法错了吗?
TIA
史蒂文
编辑:
从到目前为止我收到的回复中,我了解到正确的方法是使用(基于 cookie 的)会话。有人能给我推荐一个关于这个主题的好的教程吗? (虽然 php.net 包含一些示例,但它是参考,而不是教程)
I want to allow access to a certain page only from a given page (where the user must enter a password). Entering the URL directly in the URL field of the browser is prohibited.
I wrote the following code:
<?php
// only allow access through front door
$from = getenv("HTTP_REFERER");
if ($from != "http://www.mysite.net/password.php")
include("http://www.mysite.net/secret_nok_tgpxFC6phBRLw1Wh.php");
else
include("http://www.mysite.net/secret_ok_tgpxFC6phBRLw1Wh.php");
?>
This works nicely in Firefox, but IE8 opens the page even when the URL is entered in the URL field. How do I solve this? And, is my approach wrong?
TIA
Steven
EDIT:
from the replies I got so far I understand that the proper way to go would be to use (cookie-based) sessions. Can anyone recommend me a good tutorial on the subject? (while php.net contains some examples, it's a reference, not a tutorial)
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
检查引用者并不是最好的主意。一些代理可能会剥离它。使用基于cookie的会话将是更“文明”的方法。
checking referer is not the best ideas. some proxies might strip it. using cookie-bases session would be more 'civilized' approach.
您将需要使用 Wireshark 或 Fiddler 来检查 Internet Explorer 发送的 HTTP 标头。一旦您掌握了这一点,就需要逆向进行 PHP 验证以找到可行的解决方案。
也就是说,使用超级全局
$_SERVER["HTTP_REFERER"]
可能会更幸运You will need to use Wireshark or Fiddler to inspect your HTTP headers that Internet Explorer is sending. Once you've got that, it's a matter of working backwards with your PHP validation to find a solution that works.
That said, you might have better luck with the superglobal
$_SERVER["HTTP_REFERER"]
使用会话来检查用户是否被允许进入受保护区域。众所周知,IE 在打开某些安全选项时不会发送 HTTP_REFERER 标头。它在 IE6 上运行得很好,但现在它大部分时间都被关闭了。
Use sessions for checking if user is allowed to enter the protected area. IE is known for not sending HTTP_REFERER header with some security options turned on. It worked great for IE6, but now it's turned off most of the time.