On Thu, 2009-11-12 at 13:17 -0500, Dan Shirah wrote:
> All,
>
> I am using sessions for my application to verify a user has logged in:
>
> // Verify the user is logged in.
> if (!isset($_SESSION['basic_is_logged_in'])
> || $_SESSION['basic_is_logged_in'] !== true) {
> // If not logged in, redirect to the login page.
> header('Location: login.php');
> exit;
> }
>
> If anyone tries to go to any page in the application via the address bar,
> they are correctly redirected to the login page.
>
> However, if someone that is currently logged into the application using I.E.
> goes to File -> Send -> Page by Email, the person they email the link to can
> open it and use the application without logging in and the address bar uses
> a local path like: C:\Documents and Settings\my_name\Local
> Settings\Temporary Internet Files\OLK18\My Page (2).htm
>
> How can I prevent the emailed pages from being able to access the
> application if it is a local path or the user hasn't logged in?
You can't really. When someone is emailing the page, it's the equivalent
of them saving the page to their local computer, and then sending that
as an attachment. As this is all client-side, it has no contact with
PHP. You could have some sort of Javascript to detect the domain the
page has, and then redirect if it's not your domain, but this fails when
someone turns Javascript off. Apart from that, I don't know of any other
way you could stop someone from emailing a page, aside from making the
site completely Ajax based and pulling in every scrap of content via
Ajax.
Thanks,
Ash
http://www.ashleysheridan.co.uk
