No, because the HTTP Referer header is client-controlled, may not be present, or can easily be spoofed. You can't rely on it at all.

The usual solution is to use .htaccess or a script to check for a session cookie which has been set by your T&C or log-in page, and only allow access if that cookie is set, otherwise redirect to the T&C or log-in page, or return a 403-Forbidden response. Note that here, "session cookie" refers to a cookie that expires when the browser session ends, and this has nothing to do with server-side "sessions" as defined by PHP and various off-the-shelf script packages.

Jim

Thanks, I've taken the first steps towards checking for a cookie via htaccess.

Options +FollowSymlinks
RewriteEngine on
RewriteCond %{HTTP_COOKIE} !terms-conditions=true
RewriteRule .* /denied

and javascript:

$('#download_check').click( function() {
   if($('#check').attr('checked')) { 
createCookie('terms-conditions', 'true',1);
 } else {
eraseCookie('terms-conditions');
 }
});

This only works once however. The cookie gets created and erased but the htaccess only seems to pick up the first state. e.g. If a user does not check the box and accesses the location they get the denied page as expected. However if they then check the box, the cookie is created but they still get the denied page.

Am I missing something here?

You've got anchoring problems and an 'infinite' loop there...

Options +FollowSymlinks
RewriteEngine on
RewriteCond %{HTTP_COOKIE} !=terms-conditions=true
RewriteRule !^denied$ /denied [L]

The cookie should be set server-side, when the "accept" is submitted, and *only* if it is not already set. The "accepted-thank-you" page should set the cookie, and that page should be marked as non-cacheable.

Jim

I'd prefer to avoid a separate "accepted-thank-you" page.

Would the following work. The download button is disabled. When the "accept" checkbox is selected an ajax request is made, which sets the cookie server side and on it's return the download button is enabled. When the download button is clicked the cookie is checked via htaccess and if set the download is allowed.

If the "accept" checkbox is deselected the cookie is erased and the download button is disabled. If a user trys to use the absolute URL to the download the cookie will not be set and they'll be refused.

> When the "accept" checkbox is selected an ajax request is made, which sets the cookie server side...

As long as the browser fetches something from the server which results in the cookie being set so it can then send the cookie along with the 'download request' it should work.

Jim

Making progress, still not quite there.

Here's where I am. User checks checkbox to accept terms, ajax request calls script and sets cookie name=terms-conditions, value=true. Now the cookie is set and they can click the download button.

This may be where I'm falling down, I'm not sure how to "send the cookie along with the 'download-request'". At the moment all requests are denied when they click on download button.

Here's the htaccess file in the protected directory:

Options +FollowSymlinks
RewriteEngine on
RewriteCond %{HTTP_COOKIE} !=terms-conditions=true
RewriteRule !^denied$ /denied [L]

I have looked at the headers for a request and it seems htaccess is disregarding the values set in the cookie. I realize it is not and it's more likely I'm not picking up on something.

I make a request with this cookie value:

Cookie: terms-conditions=true

but still get the denied page.

RewriteCond %{HTTP_COOKIE} !=terms-conditions=true

If check box is unselected terms-conditions is set to false on server side and user gets denied page.

This is driving me nuts!

Sending cookies is a built-in browser function. If you're not seeing the cookie at the server, then you haven't properly set it on the client, or the cookie's scope is incorrect. Use an HTTP headers checker such as the "Live HTTP Headers" add-on for the Firefox/Mozilla browsers to verify your implementation.

I don't fiddle with client-side scripting much. In fact, I run with JS disabled on most sites, because the client-side scripting is often so poorly-done and inefficient. So I don't know *when* a cookie set by a client-side script would take effect, or whether it would be sent for all requests (i.e. including AJAX calls), or whether it might not take effect until the next "full HTML page" load. Some time spent with an HTTP headers checker should make this clear to you, though.

Jim

thanks for the help Jim. I've gone with a serverside cookie check only. I'll have to come back to this at some stage as it seems like a better solution.