Here's my dilemma for my proxy - I'm putting a CPALead on the index of the proxy. Once you fill it out, you can use the form on index.php to access browse.php The problem is, anybody can access browse.php directly, bypassing index.php. And normal site hot linking doesn't work because somebody can just go on any other page on my site and then hotlink. So what would be a way that I could REQUIRE a user access my browse.php through my form on index.php - and only that form? I don't know how to integrate sessions with that form, and I am thinking something along the lines of a random key? And it needs to expire every 2 hours.
Assuming http://www.guardtunnel.com/ is your site you could add in browse.php: <?php $referer = parse_url($_SERVER['HTTP_REFERER']); if($referer['host'] == "guardtunnel.com"){ $check = "1"; } else { $check = "0"; } if($check == "1"){ //all browse.php code goes here... } else { //didn't come through index.php.... so redirect them back to index header('Location: http://www.guardtunnel.com/'); } ?> PHP: or... <?php if(isset($_REQUEST['encodeURL'])){ //all browse.php code goes here... } else { //didn't come through index.php.... so redirect them back to index header('Location: http://www.guardtunnel.com/'); } ?> PHP:
Problem with this is that the code has to be from guardtunnel.com/mydirectory/index.php NOT any guardtunnel.com page. Couldn't anybody just make a form with an encodeURL field on any website? I now know the name of this - CSRF. I'm trying the following: <?php $token = md5(uniqid(rand(), TRUE)); $_SESSION['token'] = $token; ?> PAGE HTML HERE <form action="http://www.guardtunnel.com/ad-free/includes/process.php?action=update" method="post" onsubmit="return updateLocation(this);" style="margin:10px 0;"> FORM STUFF <input type="hidden" name="sitetoken" value="<?php echo $token; ?>" /> PHP: And then I'm placing this in browse.php: <?php if ( $_SESSION['token'] != $_POST['sitetoken'] ) { echo "Not valid"; } PHP: But it's not working. I think it has something to do with the form going through process.php but I added that code to process.php too and it still doesn't work. I'm using Glype by the way, if you mind checking out the source.