Under normal model-view-controller (MVC) design pattern, controller is a good mediator between the server and the client while the server can keep some secrets about how it redirects various requests with one single point of intact. It fits Java pretty well, so how about PHP?
Without MVC, PHP page redirection is fairly easier, but with a little bit out of control. The user may try hacking into a web application by sniffing the url. Somehow, this violates the workflow among the pages. Web developer may try their best to hide the url from the users. However, it's not quite practical as nowaday browsers always keep up-to-date to have new features to protect the user's interest, i.e., disclosing as much information as they can from the web site. At least, you can't suppress the url bar on IE7.
The enclosed link was originally the problem on a forum about how to prevent direct downloading of javascript source code from the web server. Someone gives out a good example. The thoery behind this is based on using PHP MD5 checksum to generate unique ID session for the calling page and then use it as input parameter to verify the access right on the target page by comparing the ID session object and the input parameter.
Let's have a enhanced version for PHP pages.
Example:
Without MVC, PHP page redirection is fairly easier, but with a little bit out of control. The user may try hacking into a web application by sniffing the url. Somehow, this violates the workflow among the pages. Web developer may try their best to hide the url from the users. However, it's not quite practical as nowaday browsers always keep up-to-date to have new features to protect the user's interest, i.e., disclosing as much information as they can from the web site. At least, you can't suppress the url bar on IE7.
The enclosed link was originally the problem on a forum about how to prevent direct downloading of javascript source code from the web server. Someone gives out a good example. The thoery behind this is based on using PHP MD5 checksum to generate unique ID session for the calling page and then use it as input parameter to verify the access right on the target page by comparing the ID session object and the input parameter.
Let's have a enhanced version for PHP pages.
Example:
From this example, only the user clicking the link can access page1.php. When trying to access the main content of page1.php by typing url directly, no one will succeed. A warning message will be shown instead. Simple, but useful ;-)
No comments:
Post a Comment