CODEWITHSUNDEEP
php.htaccess
Chri.s
Chri.s

Reputation: 1466

Check HTTP Referer ONLY if url contains specific query string

I've searched broad and wide for an answer to this, but without any luck. I would like to know if it's possible (either through PHP or .htaccess) to check if the HTTP referer is coming from my own domain, ONLY if the URL which the visitor is attempting to visit, contains a specific query string.

An example: For a website which offers downloads it's ideal to not let other websites "link directly to the download link of a file", and therefore try to block it.

A direct download link could be as such: www.mysite.com/?download=123 where the query of ?download=123 initiates the file download.

However, blocking all HTTP refereres is not ideal and should only happen with regards to downloads; or more specific, if the url contains the string ?download=

I know the caveats of relying on HTTP referer as it can easily be spoofed, but 100% security is not the goal in this case.

EDIT 1:

As I didn't realize the extent of my initial question here comes some more information:

I'm currently using Wordpress, and with it I have a download-managing plugin called Delightful Downloads. The plugin works the way, that on load/initiation of the page it creates specific download links matching the files through php. Such a download link can look like the follow: www.mysite.com/?download=123 . As pointed out these links are created during initiation/load and are also placed on the first page of the website. Because the download-link doesn't end on .jpg or alike, blocking access to these extensions based on HTTP referer doesn't work (at least when I tried).

This "flow of download" has also caused that i can't find a "download initiatior/call/function" since it's activated when visiting the page including the query string.

The problem lies in the fact that visitors, or other websites, can link directly to the link containing the query string, resulting in a "direct download". This is troublesome as the people downloading should agree to a set of "terms of use" before being able to download.

Upvotes: 1

Views: 1342

Answers (2)

colburton
colburton

Reputation: 4715

htaccess solution:

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://example.com/.* [OR]
RewriteCond %{HTTP_REFERER} ^$ 
RewriteCond %{QUERY_STRING} ^download=([0-9]+)$
# redirect to another page
# ? at the end creates new query string and discards the old
RewriteRule .* http://example.com/? [R=302,L]

Upvotes: 0

Martin
Martin

Reputation: 22760

HTTP Referer agents can be easily spoofed by anyone. As mentioned by Chris85. What I'm noticing a lot more of is that browser agents now typically do not provide referrer contents at all, they're ,much more often just empty strings.

If you're trying to track a user is visiting a page on your site from another page on your site you can record relevant information in PHP $_SESSION data, so on page 1, set a session with a page address (not PHP_SELF) and possibly some form of timestamp, and then compare these values on the destination page.

page 1 (from)

session_start();
$_SESSION['visitTime'] = time();
$_SESSION['visitAddress'] = __FILE__ //or some othe random yet checkable data

page 2 (to)

 session_start();
 //example checking criteria only
 if($_SESSION['visitTime'] > (time() - 300) 
    && !empty($_SESSION['visitAddress'])){
     //do stuff, as another page on your site has been visited
     // by this user within the last 5 minutes. 
 }

Reading your question it seems more like you're trying to prevent hotlinking, and most servers now do provide various facilities for doing this automatically. using $_SESSIONs will achieve this if you simply use a variation on my example above.

.Htaccess prevent hotlinking (image specific but can be adapted for other file types)

(Slghtly) broader details for .htaccess file hotlink prevention

Upvotes: 1

Related Questions