[Request]website parameters

_Diavolino_ · 11/13/2014, 21:26

Hello,

In follow of that tutorial from Castor ->

where the rerol online cant be access if there is not log session ON...

i am searching the same kinda of processing to make one link of page unvailable IF you are not passed by the Home page. (if its possible) or eventually one link.

i explain :
exemple... shaiya evaliaria get
HOMEpage as [

]if you want to see pvp rank, you just need to clic on menu. OR
second solution could be to get directly the link as [

] and valid. OR
third solution to get the source and [

] to valid.

What i search is the possibility when you try to connect to [

] is unvailable but Allow only by connexion via the site. i means to force the player to see the main page of the site then to make his staff...

the same process i saw on Castor web site configuration if you try removing the menu or other from the reroll side, the script doesnt work.

i think there is something to put in header page or via Htaccess...but i dont know and i would ask some help

Thank you for reading and hope its understanding -_-''

kind regards,

sominus · 11/14/2014, 00:28

You could use something like this:

Code:

<?php

$vrefer =  $_SERVER["HTTP_REFERER"];

//Check referer contains evaliariashaiya.com
if (strpos($vrefer ,'evaliariashaiya.com') !== false) {

 } else {

 echo 'You can't see this page directly, please visit http://www.evaliariashaiya.com';

 exit;
 }

It's very basic, but it should work. You can add some redirection also.

castor4878 · 11/14/2014, 01:23

this is usually handled by a test of the running session.

[context]
a php application echanges cookies with the client browser as soon as a session is started (with

()).

a modern & politically correct website should ask the user if he/she accepts cookies before sending them ... but of course, all appls starts to read cookies (and potentially perform undocumented saves) before asking.
[/context]

you can use the same principle:
in all pages BUT the regular homepage(s), you include as the very first lines of the page a small script, eg:

Code:

<?
	include('validateSession.php');
?>

the validateSession.php script is defined as:

Code:

<?
//	enable cookies session
	session_start();
//	check a flag (a dummy or usefull one)
	if (!isset($_SESSION['isValid'])){
		header("Location: index.php");
		exit();
	}
	
//	process required steps, if any, when a valid session is opened
//	...
?>

in the homepage, you will define:

Code:

<?
//	enable cookies session
	session_start();
//	record valid session
	$_SESSION['isValid']  = true;
	
//	define page content
//	...
?>

Edit: also note that the context of an application is limited to a given host; there you are loading in a iframe a page of another webserver known by its IP; you shall NOT process this way.
Since that host is your MS-SQL svr, and likely the game server, you SHALL allow requests on port 80 (http request) to at most ONE client: your own web server (23.229.134.180). You will, in such case, request the ranks table from a server-side script (asking it with some PHP code to the game-svr) and then flushing the received html code into the requested page. (classical client-server-server chain).

_Diavolino_ · 11/14/2014, 12:14

2 interesting answer i will try to make some test of this both and i will post result ^^ because at view it sound clear and simple BUT in practise the results are all the time different in my side

Thanks to you both its kind

EDIT :
@Castor,

Code:

you SHALL allow requests on port 80 (http request) to at most ONE client: your own web server (23.229.134.180).

In that case i should to open it in a new browser windows and not to put as iframe ? i means if i want to use that method i should doing that ?

in more with what propose Sominus, what will be the difference of result ?

and the code php should be indroduce to each page of website ?

sominus · 11/14/2014, 23:57

What I said, is more to prevent direct access to a page from outside the main site. In cases where you use IFRAMEs. (of course it needs more custom development).

What Castor said, is about sessions (security stuff), wich your site should implement if you use any stuff that requires the user to be logged in (change password, gm rerolls, webmall, etc). In that case, you should first read the php manual to understand how it works, from the link castor provided.

I see you used some template on that site. It would be better if you code the site from scratch. That way you control exactly how each section works.

Also a sugestion: In that pvp rank, you could disable the popup window that shows toon details (it's jquery ttip), because some ppl would spend the day consulting that list, wich results in constants requests. I didn't check if all the content is preloaded, but if it's not, it would be better to disable it.

castor4878 · 11/15/2014, 21:07

Quote:
Originally Posted by _Diavolino_
Code:
you SHALL allow requests on port 80 (http request) to at most ONE client: your own web server (23.229.134.180).
In that case i should to open it in a new browser windows and not to put as iframe ? i means if i want to use that method i should doing that ?

No, I repeat: only the web server IP: 23.229.134.180 (registered domain name:

) should be allowed to send a http request to the game server host (IP: 167.114.0.133).
For all clients (but 23.229.134.180 and optionally your own private IP), the host 167.114.0.133 shall NOT be reachable as a web server.

I understand that "you want" to manage requests this way, and I repeat that it's not a safe way to process and it shall not be done this way.

Quote:

Originally Posted by _Diavolino_

in more with what propose Sominus, what will be the difference of result ?
and the code php should be indroduce to each page of website ?

an iframe has no referrer.
all security related data are relevant for one web application on one host, any authentication (weak by cookies or strong by user password) can not be shared / transmitted from 1 host to another.

yes, the php test shall be inserted in all pages, like all the code common to all pages; I hope you didn't (manually?) insert the following header:

Spoiler

in all pages, but that you're yet using an "include myHeaderStuff.php".

_Diavolino_ · 11/16/2014, 00:02

Oh thats clear, evaliaria is not my server its one server that "click" me for one exemple. because i saw some way simple in source so was good to present as exemple for me.
After no i am using for my own site one program where i could manage to inserated in all page the concern code.
Your explanation was like all the time clear and help to understand the situation where i want to arrive...
and in what i could understand out of one iframe, we should using one new browser windows to secure better the exchange between side and server by the unique autorisation between both ?
and now, rest to me to find the right code to implemented !

Thanks you for your advise tips and helps !

Regard,

sominus · 11/16/2014, 21:04

Let's say your DB server is on 10.0.0.1 and your web site is on 20.0.0.1
Your DB server should allow HTTP requests ONLY from 20.0.0.1 (and 127.0.0.1 ofc) and block any other IP.

Some ppl open the DB to the outside, so they can use Navicat or SQL SMS, but that's a bad idea (even worst, some ppl use the default Shaiya123 passw).
It's better to have a custom (still protected) web Control Panel, to manage the DB.

_Diavolino_ · 11/16/2014, 22:43

surely !
but for my case all (the whole folder of php script) will be in host side, that means i just need to put one "include" in the document to execute the correspondant script than the site will communicate with the server.
as the host get php configurate i dont need to inserated iframe.
after its true the exemple of evaliaria is with configuration on game server with them server configuration on port.
me its not because all rest on host.

@Castor,

what do you means by
"// process required steps, if any, when a valid session is opened
// ..."

wich new step we should to add to that to make it complete ?

sorry for question i am to be expert in webmaster xD

Thanks much

_Diavolino_ · 11/18/2014, 00:52

it Work well (without iframe)

just try it and its nice xD it redirect to homepage.
Thank You again *_*

an other point about that iframe, i dont understand what you explain here about "flushing the code" when receiving the request from server. and in that case wich method to apply to have that system to come by the home page in case of iframe.

Spoiler

castor4878 · 11/18/2014, 02:14

I was writing a detailled answer, but the smart coder of this page considers it's nice to ajax-refresh it time to time (losing any edited message of course), I was bored enough to not retype all the mess.

what I was dealing with is a client-client-server request.
the end-user (1st client) request the PVP ranks to the regular web server.
that web server requests, for instance with PHP code using cURL API, the page to the game server, so acts as a 2nd client. The PHP code requests a html page, it formats it (more or less) and paste (write / ouput) it into the page is about to return.

the http daemon of the game server is setup to only respond to the web server (otherwise you will always find smart guys or hackers to directly send requests (and attacks) to the different components of game server (incl. the http daemon, the MS-SQL listener and so on).