On Thu, Nov 12, 2009 at 1:21 PM, Ashley Sheridan
<a...@ashleysheridan.co.uk> wrote:
> On Thu, 2009-11-12 at 13:17 -0500, Dan Shirah wrote:
>> All,
>> I am using sessions for my application to verify a user has logged in:
>> // Verify the user is logged in.
>> if (!isset($_SESSION['basic_is_logged_in'])
>>     || $_SESSION['basic_is_logged_in'] !== true) {
>>     // If not logged in, redirect to the login page.
>>     header('Location: login.php');
>>     exit;
>> }
>> If anyone tries to go to any page in the application via the address bar,
>> they are correctly redirected to the login page.
>> However, if someone that is currently logged into the application using I.E.
>> goes to File -> Send -> Page by Email, the person they email the link to can
>> open it and use the application without logging in and the address bar uses
>> a local path like: C:\Documents and Settings\my_name\Local
>> Settings\Temporary Internet Files\OLK18\My Page (2).htm
>> How can I prevent the emailed pages from being able to access the
>> application if it is a local path or the user hasn't logged in?
> You can't really. When someone is emailing the page, it's the equivalent
> of them saving the page to their local computer, and then sending that
> as an attachment. As this is all client-side, it has no contact with
> PHP. You could have some sort of Javascript to detect the domain the
> page has, and then redirect if it's not your domain, but this fails when
> someone turns Javascript off. Apart from that, I don't know of any other
> way you could stop someone from emailing a page, aside from making the
> site completely Ajax based and pulling in every scrap of content via
> Ajax.
> Thanks,
> Ash
> http://www.ashleysheridan.co.uk

And even then, it has become part of the DOM and will be saved with
the rest of the page. The presence of Javascript in the page *might*
remove it/hide it/obscure it/etc., but it will still be there in the
saved document.


PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to