I would never rely on 'HTTP_REFERER'. From <
http://php.net/manual/en/reserved.variables.server.php > :
"This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted."
There was a number of solutions that I could think of for this problem. I am not sure how reliable they are, depending on the level of security needed.
(1) Javascript:
//child.php
<script type="text/javascript">
window.onload = function() {
alert(window.parent.locati
on.href);
alert(window.top.location.
href);
if(window.parent.location.
href.index
Of('mypare
nt.php') < 0) {
window.location.replace("
http://google.com");
}
}
</script>
(2) $_GET
//parent.php
<iframe src="child.php?pw=somevery
longpasswo
rd">
</iframe>
//child.php
if($_GET['pw'] != '...') {
header(...);
die();
}
(3) $_SESSION (don't know if this will work opening tons of tabs)
//parent.php
$_SESSION['parent'] = TRUE;
//child.php
if(!$_SESSION['parent']) {
header(...);
}
$_SESSION['parent'] = FALSE;
You could also use htaccess ReWriteRule, but the solution would be only as good as the ones already listed. #3 would be the most secure, if it works. I don't think you'll be able to find a full-proof secure solution, but these solutions will work for just general purposes. I'll let you know if I think/find of anything else. If you need further details/helps with one of these solutions, I'll explain it in more detail.
