Forum Moderators: phranque
I need to restrict access to a site to only those requests that are in the frame of another site (with a different domain on a different server). I've tried just checking the referer, BUT that is extremely unreliable as sometimes the browser doesn't set the referer header, and users keep complaining that they're getting "access denied". Does anyone know any other way to make a site only work if it is being viewed within the frame of specific other site?
Thanks
--Dan
Welcome to WebmasterWorld!
Yes, the HTTP_REFERER is notoriously unreliable, and should be used only as a simple, convenient method of limiting *easy* access to your content. While widely-advertised by utilities like cPanel as "hotlinking protection," referrer-based access control is only a half-measure that stops only casual hotlinkers.
A better solution involves setting a cookie, and a script to serve the content only after validating the cookie.
Another simpler method is to change the URL of the resource frequently, so that unauthorized linkers get a 404-Not Found.
Jim
You could, I think, use a server-side scripting language (I'd probably recommend PHP for something like this, unless you're running mod_perl) to set a cookie on the frameset page, check the cookie using that same page, and if the cookie's not there, don't even generate the HTML for the frame (or generate an access denied page).
Something like (PHP-based pseudocode):
if (cookie exists and cookie is proper) {
include "includes/frameset.inc";
}
else {
include "includes/access_denied.inc";
}
Does this make sense?
Not really. If site 1 (www.site1.com) sets a cookie, then only webpages on www.site1.com can read that cookie. So if a page on www.site1.com sets a cookie and then it has an iframe that loads a page to www.site2.com, then the script on www.site2.com can't read the cookie that was set by www.site1.com.
So the question still remains, considering that using the referer header is too unreliable, how is www.site2.com going to know that the request came from www.site1.com?
--Dan
Situation:
www.site1.com requires a login. www.site1.com/page.php contains an iframe which loads www.site2.com. www.site2.com wants to disallow all requests that have not come from www.site1.com/page.php.
Method:
1) www.site1.com/page.php saves the user's userid and the time of access into a database table and includes the userid in the querystring of the URL to www.site2.com/page.php in its iframe.
2) The scripts on www.site2.com, before they allows access, send an HTTP request to www.site1.com/checkaccess.php with the userid in the querystring.
3) www.site1.com/checkaccess.php looks up the userid in the database table to see if that user has gone to page.php within the last minute (let's say). If it has, it responds with an affirmative, otherwise, it responds with a denial.
4) www.site2.com gets back the response from www.site1.com/checkaccess.php and response with "access denied" if it gets a denial back from site1, or sets up a new session if it gets an affirmative back.
Anyone see any problem with this solution?
Thanks
--Dan
1) You will (obviously) take a performance hit here; no idea what kind of traffic you see normally. If you run a high-traffic site, you may be in trouble.
2) Depending on your security model, you may need to encrypt transmission of the userid from site2 -> site1/checkaccess.php (incurring additional overhead from SSL negotiation, for a total of *two* such negotiations for each request).
Here's another thought (which may or may not be workable, depending on the nature of the sites); have you looked into using mod_rewrite with the proxy option? Depending on the nature of site2, you may be able to restrict access to the page you're placing in the iframe so that only your server can reach it. That may open up new possibilities.
