skip to Main Content

I am trying to prevent users from connecting to certain pages with a script. Thus, is there any method I can use to detect if a connection to a specific web page is a client browser versus an automated script?

I know certain headers can be spoofed, but is there another mechanism I can use; say like if unable to set a sesseion_start or setCookie. Do those return true/false values if able or unable be to be set?

Something like:

$sessionID = session_id() ;
$isSet = setCookie('cookieName',$sessionID, [ .... ]) ;
if ($isSet == false) {
   ... do something to kill the session
   ... or do something to redirect
}

Is this even possible? And even if it is, I know this probably isn’t reliable, but what would be a better or more reliable method?

And to clarify, detect if its a script and if so, kill it before even serving the rest of the html page.

4

Answers


  1. You can use UserAgent

    (You can see how to get it here : How to get user agent in PHP)

    This will let you know user web browser which -I assume- will be different for ‘scripts’

    Login or Signup to reply.
  2. If you are trying to prevent pages from being called entirely, you can reliably do this with a combination of using an .htaccess file and a php "check" file .. This will check to see if the requested file came from your scripts, or an outside source. Make a directory, and put your "hidden" script files in it along with the following 2 files:

    .htaccess

    php_value auto_prepend_file check.php
    

    check.php

    <?php
        if( !@$_SERVER["HTTP_X_REQUESTED_WITH"] ){
            header('/page_404.php'); // Or whatever you want it to do.
            exit;
        }
    

    All the .htaccess directive does is make check.php happen before every script call — So technically you COULD just include check.php at the top of every file .. But I find this a more complete, elegent solution.

    Login or Signup to reply.
  3. You can do it with $_SERVER['HTTP_REFERER'] but it can be fake/dummy made.

    <?php
    
    if (isset($_SERVER['HTTP_REFERER']) && strtolower(parse_url($_SERVER['HTTP_REFERER'], PHP_URL_HOST)) === 'example.com') {
      //your code
    } else {
      die('Bots are not allowed!');
    }
    
    Login or Signup to reply.
  4. You can check with php_sapi_name() if you are running on CLI.

    This example will only allow scripts from CLI.

    if (PHP_SAPI !== php_sapi_name()) {
        die('CLI only');
    }
    

    You can reverse the condition to make it only running for web server.

    if (PHP_SAPI === php_sapi_name()) {
        die('Web Server only');
    }
    
    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search