You could do it using a cookie. Use a Javascript to check for the existience of a cookie - let's call it "legalcheck". If it doesn't exist, there is a redirect to the home page. The home page is the only page that sets the cookie.

Of course, if the user blocks ALL cookies then they also can't use you site. But then they could also not allow frames in theory.

if you use a server side processing you can force people to login and maintain a session variable.

You check for the session every page. If there is no session set, redirect them to the login page.

It's the only foolproof method.

You can also have secure directories protected by password. (look up htaccess)

Thanks guys for the quick replies. I'll have to consider your suggestions, although I didn't really wanted to use either cookies or server side scripting if I can avoid it. Apart from that, I haven't got a clue (yet) about this server side processing and what I'd have to do ;-)

I was wondering if it would be possible via javascript to detect within each of my pages whether the access came from within the domain of my site, i.e. the last displayed page was from my site's domain, and if not redirect to the index page, which than subsequently allows access to the other pages?

Using a javascript that depends on the referer would be problematic - in fact the referer is not a very dependable object no matter what technology you use to access it. Many browsers will hiccup in various situations on providing an accurate referer, and you would probably make many people a bit crazy if you went that route.

Thanks Tedster for the warning :-) I shall stay well away from that then, possibly keep my frames until I have advanced to some server scripting...

Mandatory "in your face" disclaimers may become as ubiquitous as those software licence acceptance buttons. I have had two requests from client's legal types to do viability presentations in the past eight months.

My conclusion was that server side script was the only viable option as browsers allow denial of client side scripting and of cookies.

Probably the cleanest option is to detect the referring page (as WolfsonUK mentioned) and if it is external then present the legal stuff. The drawbacks are (1) slight slowing of serving pages as every request is filtered; (2) each visit generates the disclaimer; (3) some M$ servers may require workarounds; (4) as tedster mentioned some browsers don't know where they are coming from. ;-)

On the positive side are (1) no need for login/registration which many people dislike and which adds extra maintenance to the system; (2) every visitor gets the message.

Your server capacity, your traffic volume, and your visitor type are all things to consider to determine which choice is best.

And whichever route you choose you get to learn something - ain't it fun!

The "Collection" section of the Art Gallery of New South Wales (Australia) does something very much like this, if you want to see a sample implementation. I am pretty sure it is cookie-based.

Personally I think it's annoying and pointless, but at least the way it's implemented it allows for deep bookmarking and linking. You just click that "I Agree" to the terms and conditions, and it takes you on to wherever you were headed.

Ah well ... this is a lot to think about. Thanks again for all your input.

iamlost: I agree, lot's to learn and it's fun - once you get around all the obstacles ;-) This is going to be my next task I suppose.

jomaxx: You're right, this is a very good example, it does exactly what I want my sites to do. Don't know however what exactly happens if cookies are disabled, must test this, but not tonight. And as far as we might find it annoying or pointless, I guess we'll have to leave it to the owners of the sites - if they see a valid reason for such disclaimers it's up to us web designers to make them work ;-)

Hmmm ... after pondering about lots of ideas, and with the aim to keep it simple, I guess that the best way to go would be server side scripting, since either javascript or cookies can be disabled and that would lead to at least inconveniences when viewing my site, if not actually stop the 'security mechanism' to work.

Using the referrer seems to be an approach which can be unsafe too, if some browsers don't know where they are coming from.

txbakers suggestion to create a session seems to be the safe way. However, I don't want visitors having to log in, they shall simple have to click on an 'accept' button for the legal terms. Can a cgi script automatically create a visitor-specific session variable on my index page, that my other pages subsequently check (and if it's not set, they send the visitor to my index page)? Does anyone have an example script for that or can anyone point me in the right direction?

Yes, you can create a generic Session variable - even a true or false.

But that session variable would have to be set every time a visitor comes to your site. A session variable by nature goes away when a person closes their browser session.

Maybe a combination of cookies and session variables.

But unless you have some type of event before getting into your site, how is the server to know whether this person should be allowed? A login on each visit is not inconvenient, especially with the browsers that can store form data. Web surfers are used to it. If the content is worth looking at, they will login.

And, if the content is worth protecting this way, you might want to keep an entry log somewhere so you know who is logging in at what time.

I can see your point, txbakers. But in my case - or rather, in the case of a client of mine - what you describe is exactly what they want: Each time any visitor comes to the site, it should display the legal disclaimer, the visitor has to click an accept button, and then they are free to serve. It's not really about protecting content but about indemnity. And once they have read and accepted the terms, everyone is allowed so there are no restrictions there.

Once the visitor leaves the site, next time they return, same procedure again. It would work similar to the Art gallery which was mentioned here before, but without the use of cookies (since if they are disabled, the legal page pops up EACH time you select another page even from within the site, which is a pain).

Any further things such as visitor tracking are not required or wanted at this stage, anyway.

Then you're fine. Have the "accept" button submit the form and initialize the session variable.

No sweat.

*grin* apart from the fact that - as a complete newby to cgi scripting - I could really do with some examples, or simple free scripts which I could modify. Is there a good place to find such basic information that you could point me to?

well, you'll need to use a scripting language that runs on your server. I use ASP, so it would like this in ASP:

if (String(Request("accept"))!= "undefined") {

Session("Allow") = "true";

}

That's all there is to it.

Then, on every page you want to protect you check for the Session like this:

if (Session("Allow")!= "true") {
Response.Redirect("homepage.asp");
}

That's in ASP with JavaScript.

Your language might be slightly different.

Thanks a lot txbakers! I am sure that will get me started :-)