View Full Version : How can I avoid an iframe to be called directly?

06-07-2005, 11:36 AM
I have an iframe in the middle of my site, and I dont want in anyway someone to directly address that iframe..

How can this be possible??

An idea may be passing a control variable from the main page to the iframe but someone still can open the iframe with including that variable at the end of the url..

06-07-2005, 11:50 AM
Use authentication with php or use .htacces for this.

Here's the php way. (http://www.scit.wlv.ac.uk/appdocs/php/features.http-auth.html)
Or another easy one with sessions. (http://www.php-mysql-tutorial.com/user-authentication/basic-authentication.php?PHPSESSID=811850891876602d5ac86da3772d2a16)

06-07-2005, 12:23 PM
You could try something like this at the top of your iframe file:

$mydomain = 'yourdomain.com';
if(strpos($_SERVER['HTTP_HOST'], $mydomain) === FALSE) {
header('Location: http://www.yourdomain.com');
The only problem is, because it's an iframe I'm not sure if $_SERVER will be populated with your server data or the data of the server belonging to the person linking it but you can test that pretty simply.

If it does cause a problem you could probably solve it by using css overflow to create a virtual iframe and including the file instead (I'm pretty sure an included file gets the server data of the calling page, not it's own server data), but if it gets to that point you may as well look at authentication as an easier solution.

06-07-2005, 12:49 PM
I think I will set up a session variable in the page calling the frame and then check that variable inside the frame..Seems an easy solution, thanks for your help :thumbsup:

06-07-2005, 04:56 PM
Sessions are always the best route when passing data from page to page in your site. That includes blocking out things that can only be included or added to your pages. Go with that route, watch your session settings though, and test it with your cookies off (use_trans_sid is off by default in php.ini, which auto-appends your links).