Closed Thread Icon

Topic awaiting preservation: allow page loading as iframe only Pages that link to <a href="https://ozoneasylum.com/backlink?for=27181" title="Pages that link to Topic awaiting preservation: allow page loading as iframe only" rel="nofollow" >Topic awaiting preservation: allow page loading as iframe only\

 
Author Thread
GRUMBLE
Paranoid (IV) Mad Scientist

From: Omicron Persei 8
Insane since: Oct 2000

posted posted 12-20-2005 21:28

so, here is a hard one for you guys.

i have a website, which contains a webshop.

due to certain reasons, the webshop is displayed on the site inside an iframe.

now obviously i dont want people to find out the webshop url and be able to load the webshop alone, so i added a short javascript to the webshop which automatically redirects to the complete site.

code:
<script>
if (top.frames.length == 0)
	location.href="/site/index.php?page=webshop";
</script>



this works fine, as long as javascript is turned on.

now how could i do the same thing without javascript?
i couldnt find a solution so far, since there seems no possibility to find out if the page is in an iframe or not with php or something like that.



(Edited by GRUMBLE on 12-20-2005 21:33)

zavaboy
Bipolar (III) Inmate

From: f(x)
Insane since: Jun 2004

posted posted 12-20-2005 22:17

You could use PHP to track requests. So for example, you get a hit to the webshop, have PHP check to see how long ago the main page has been hit by the user IP (or session). If it hasn't been hit for a while (within 5-10 minutes I guess) or not hit at all, send a location header to the main.

I don't know how good that works, and there are probably better ways, but that's what I'd do for a start.



(Edited by zavaboy on 12-20-2005 22:19)

DL-44
Maniac (V) Inmate

From: under the bed
Insane since: Feb 2000

posted posted 12-20-2005 22:18

You can find the uri of the page, in PHP, using $_SERVER['PHP_SELF']. You can do a redirect using the header() function with the location attribute.

I would assume, though I do not know for certain, that if the 'php_self' for the page is the location of the shop itself, then it is not in a frame. If the 'php_self' is the page that you use to load the frame, then you're good to go.



(Edited by DL-44 on 12-20-2005 22:20)

bitdamaged
Maniac (V) Mad Scientist

From: 100101010011 <-- right about here
Insane since: Mar 2000

posted posted 12-20-2005 22:35

DL that will get you in a loop, PHP_SELF will be the url of the iframe page no matter if it's in your iframe or not.

You can check the referrer value to make sure it's coming from your frame page which is how I'd do it.

I guess you could theoretically do some trickery with sessions like have a session start on the main frame, then make sure you have a started session in the iframe.

However if someone goes to the main page, and then loads the iframe source by itself the session will still be valid.



.:[ Never resist a perfect moment ]:.

zavaboy
Bipolar (III) Inmate

From: f(x)
Insane since: Jun 2004

posted posted 12-20-2005 22:43

You should use the JavaScript (it works well for this) and just have PHP as a backup in a way.

GRUMBLE
Paranoid (IV) Mad Scientist

From: Omicron Persei 8
Insane since: Oct 2000

posted posted 12-20-2005 23:34

thank you all!

that referer-check sounds the best idea to me. but isn't it possible to fake that one too?

edit:
yes, obviously you can fake referers: http://en.wikipedia.org/wiki/Referer_spam
from the php manual:

quote:
'HTTP_REFERER'

The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.





(Edited by GRUMBLE on 12-21-2005 00:21)

zavaboy
Bipolar (III) Inmate

From: f(x)
Insane since: Jun 2004

posted posted 12-21-2005 00:22

Also:
Some people have referrers off on their browser, which may be because either the browser or a internet security program is blocking it. Some people aren't aware they're blocking it too, so don't assume they know.

bitdamaged
Maniac (V) Mad Scientist

From: 100101010011 <-- right about here
Insane since: Mar 2000

posted posted 12-21-2005 00:39

Yes you can hide referrers however you're not going to get a perfect answer to this question. There's no way for the server to distinguish between a request from within a frame and from without.

You could also combine all these suggestions to get a pretty good solution however at the end of the day if someone really wants to they will still be able to get the page without the parent frame.

Also you need to be careful with these methods as all of these checks have the potential of getting you stuck in a validation loop that someone cant get out of.

For example if someone doesn't have the referrer value turned on then you will never get a referrer, even if they load the page within the correct frameset and the user would get stuck in an endless validation loop.



.:[ Never resist a perfect moment ]:.

DL-44
Maniac (V) Inmate

From: under the bed
Insane since: Feb 2000

posted posted 12-21-2005 00:39

Right - was thinking the frame would return the php_self info from the parent...haven't worked with frames in years

I would recommend the session route then. Pass a simple check, such as $frame = true; or something to that effect? The iframe would check, and if !$frame, redirect.

The referrer check sounds to be completely unreliable in any real sense.

GRUMBLE
Paranoid (IV) Mad Scientist

From: Omicron Persei 8
Insane since: Oct 2000

posted posted 12-21-2005 15:00

thanks again guys.

a simple check like $frame=true will be easily fakeable too by just typing that into the address. but maybe i can use real php->session to have a somewhat secure solution.

DL-44
Maniac (V) Inmate

From: under the bed
Insane since: Feb 2000

posted posted 12-21-2005 15:57

That's what I was talking about grumble: set that variable via the session on the main page, then check it again via the session in the iframe page.

GRUMBLE
Paranoid (IV) Mad Scientist

From: Omicron Persei 8
Insane since: Oct 2000

posted posted 12-21-2005 18:00

ok. i have to admit i never worked with sessions before, so i gotta look into that first.

GRUMBLE
Paranoid (IV) Mad Scientist

From: Omicron Persei 8
Insane since: Oct 2000

posted posted 01-08-2006 19:17

edit: i had a stupid idea, please ignore.

(Edited by GRUMBLE on 01-08-2006 19:37)

« BackwardsOnwards »

Show Forum Drop Down Menu