Home/ Questions/Q 4039196
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-20T12:34:31+00:00

I’ve been banging my head against this for a week. I have a page

  • 0

I’ve been banging my head against this for a week. I have a page that we want to only be accessible from another domain. Is it possible with PHP or .htaccess? Ive posted a couple attempts to do this on here, nothing seems to work. Please help!

<?php

$allowed_domains = array('dirtybirddesignlab.com','foo.com');

$REFERRER = $_SERVER['HTTP_REFERER'];

if ($REFERRER == '') {
    exit(header('Location: 404.php'));
}

$domain = substr($REFERRER, strpos($REFERRER, '://')+3);
$domain = substr($domain, 0, strpos($domain, '/'));

if (!in_array($domain, $allowed_domains)) {
    exit(header('Location:404.php'));
}

?>
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    To expand on my comment, see the line if ($REFERRER == '') block.

    <?php

$allowed_domains = array('mydomain.com','yourdomain.com');

$REFERRER = $_SERVER['HTTP_REFERER'];

if ($REFERRER == '') {
    // What do you do here?
}

$domain = substr($REFERRER, strpos($REFERRER, '://')+3);
$domain = substr($domain, 0, strpos($domain, '/'));

if (!in_array($domain, $allowed_domains)) {
    exit(header('Location: error.php'));
}

?>

    Note, the above will fall through to always referring those browsers that haven’t reported a referrer to be redirected to the error.php page.

    My suggestion is to do something like…

    1. Generate salt, share with other server ($dsalt = output from something like puttygen.exe)
    2. Generate shared key on the other domain during response – $dkey = sha1($dsalt.date(‘mDY G’))
    3. Put $dkey within page for requests, resulting in “http://www.mydomain.com/getstuff-ajax.php?key=$dkey”
    4. Recreate the same $dkey on your server and compare against the one in the GET to detect non-allowed access

    For instance…

    Their domain

    <?php

$dsalt = "AAAAB3NzaC1yc2EAAAABJQAAAIBNnuGAM6ZKURAS9h9ag".
         "H85T1eIE+jlLkq7GhFny8wMJNpSM0stTDWeEYfL+4xWIE".
         "lIF3NFvRpDAG/cgXuVmlBcO0ZxxKosrDv0dXCXNt5ciPJ".
         "UjFi1e0FEJtkO32xrTDEB2IUg9rZ0tiqqsqnTCZBQ4AEvpMi";

$dkey = sha1($dsalt.date('mDY G'));

// ... Other stuff or whatnot, possible the above is also just an include file

// Then, they use it...

echo "<a href=\"http://yourdomain.com/download.php?key=$dkey\">Download stuff</a>";

?>

    Your domain – include(‘/path/to/domaincheck.php’)

    <?php

$dkey = $_GET['key'];

$dsalt = "AAAAB3NzaC1yc2EAAAABJQAAAIBNnuGAM6ZKURAS9h9ag".
         "H85T1eIE+jlLkq7GhFny8wMJNpSM0stTDWeEYfL+4xWIE".
         "lIF3NFvRpDAG/cgXuVmlBcO0ZxxKosrDv0dXCXNt5ciPJ".
         "UjFi1e0FEJtkO32xrTDEB2IUg9rZ0tiqqsqnTCZBQ4AEvpMi";

if (sha1($dsalt.date('mDY G')) != $dkey) {
    exit(header('Location: error.php'));
}

?>

    Notice both the $dsalts are the same. I generated that with puttgen.exe.

    Something along those lines. You will need to handle cases in which the key may expire, or whatnot. Another method may be to share valid $dkey’s between your servers with a timestamp and expire them after a certain amount of time (maybe one hour).

    theirserver.com and yourserver.com

    1. Salt, or in other words, private key, same on both servers
    2. Function to (re)create the hash using the salt and some date stamp, same on both servers

    Browser

    1. Links to yourserver.com includes generated key (hash) created from static salt and date stamp function
    • 0