Newbie question - Server side redirect

I have a little programming experience in ASP and I need to change a
conditional redirection script into PHP. The script prevents a page to be
viewed outside a frameset. Redirection should be on server level. Any help
would be greatly appreciated. I have never code in PHP ever, so an example
of a complete page would be exellent (I tried to post my complete page here
but my news server blocks that).

if (Request.ServerVariables("HTTP_REFERER")= =
"http://my-php-host/test/frameset.html")
Response.redirect("http://my-asp-host/test/landing.asp");
else
Response.write("you may not view this page");

John Kenickney wrote:
> if (Request.ServerVariables("HTTP_REFERER")= =
> "http://my-php-host/test/frameset.html")
> Response.redirect("http://my-asp-host/test/landing.asp");
> else
> Response.write("you may not view this page");

<?php
if ($_SERVER['HTTP_REFERER'] == 'http://my-php-host/test/frameset.html') {
$url = 'http://my-asp-host/test/landing.asp';
header('Location: ' . $url);
// some browser may not honour the redirect
exit('Redirected to <a href="'.$url.'">'.$url.'</a>');
} else {
exit('you may not view this page');
}
?>


But the HTTP_REFERER can be easily faked.
--
--= my mail box only accepts =--
--= Content-Type: text/plain =--
--= Size below 10001 bytes =--

"Pedro Graca" <hexkid@hotpop.com> schreef in bericht
news:bth1uu$72keo$1@ID-203069.news.uni-berlin.de...
> John Kenickney wrote:
> > if (Request.ServerVariables("HTTP_REFERER")= =
> > "http://my-php-host/test/frameset.html")
> > Response.redirect("http://my-asp-host/test/landing.asp");
> > else
> > Response.write("you may not view this page");
>
> <?php
> if ($_SERVER['HTTP_REFERER'] == 'http://my-php-host/test/frameset.html') {
> $url = 'http://my-asp-host/test/landing.asp';
> header('Location: ' . $url);
> // some browser may not honour the redirect
> exit('Redirected to <a href="'.$url.'">'.$url.'</a>');
> } else {
> exit('you may not view this page');
> }
> ?>
>
>
> But the HTTP_REFERER can be easily faked.

Pedro, thanks for your solution. I've been thinking about the faked
HTTP_REFERRER. I developed a solution in ASP where the main page [1]
calculates a timestamp. This timestamp is coded and sent in an URL parameter
to a redirector page [2]. The redirector page calculates its own timestamp
and codes it in the same way, which should be the same when this calculation
takes place within 10 seconds after the one on the main page (time enough
for the page to load). Only if the codes match, the redirector page
redirects to the landing page.

The advantage of this is, once an "interested visitor" finds out the
redirection page by faking the HTTP_REFERRER, he/she will never get a clue
what is the code in the URL parameter. This construction, with some added
client side javascript to block the status bar and the right click function
completely hides the landing page.

Now, forgive me to be lurking here for PHP, but I hope somebody appreciates
the little humble development I did and translates it into PHP for anybody
who can use it (ME ;-))


[1] main.asp:
<%
strReferringPage=Request.ServerVariables("HTTP_REF ERER")+""

if (strReferringPage == "http://my-php-host/test/frameset.html") {
var Now=new Date();
var Time=Now.getTime()+"";
//Time holds a 12 figure timestamp in milliseconds like
//107123456789
//Take off the milliseconds and the seconds like 107123456
a=Time.substr(0,9);
//convert the last character (which is always a number) to
//a numeric variable (don't know another way to do that)
var offset=Time.charCodeAt(11)-48;
//Start a new string and define the first character as
//letter #offset in the alphabet (1=a, 2=b etc)
//'a' has CharCode 97
//The first character serves as an extra coding key
var theCode=String.fromCharCode(97+offset);
var theChar=""
var count=0
while (count<9) {
//convert all numbers from the timestamp into letters in the
//alphabet, shifted with the offset
//character code '1'=48
//character code 'a'=97
//hence the jump from '1' to 'a' is 49
theChar=String.fromCharCode(a.charCodeAt(count)+49 +offset)
theCode=theCode+theChar;
count++;
}
//theCode is now a 7 character string with the first character
//as an extra coding key

Response.redirect("redirector.asp?a="+theCode);
}
else
Response.write("you may not view this page");
%>


[2] redirector.asp
<%
var a=Request("a")+"";
//Get offset from the first character
var offset=a.charCodeAt(0)-97;

//Get the coded original timestamp (first character stripped)
theCodeIn=a.substr(1,9);

//Apply the same algorithm to code another timestamp
//Because we truncated the milliseconds and the seconds,
//this code will be the same when calculated within
//10 seconds after the one on the referring page
var Now=new Date();
var Time=Now.getTime()+"";
b=Time.substr(0,9);
var count=0
var theCodeOut="";
var theChar=""
while (count<9) {
theChar=String.fromCharCode(b.charCodeAt(count)+49 +offset)
theCodeOut=theCodeOut+theChar;
count++;
}
//theCodeOut now holds the same code as theCodeIn,
//provided it is calculated soon enough

if (theCodeIn == theCodeOut)
Response.redirect("http://my-asp-host/test/landing.asp")
else
Response.write("Wrong parameter");
%>