How to prevent a specific url from being typed in

Is there a way to redirect a user if they directly type in a url? Let's say I have a url that should only be accessible after users follow a process on the website. So, they can get to the url eventually but they mustn't be allowed to just type the url in to access the page. If they do just type it in they should be redirected. Not sure if this is possible?
Black SulfurAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

käµfm³d 👽Commented:
Depending on your web server, a URL rewrite could probably be useful here.
Chris StanyonWebDevCommented:
If the page needs to be accessible 'at some point', then a URL rewrite probably won't work. A rewrite would likely prevent the URL from being accessed at all.

A pretty simple solution here might be to just use a session variable. On the page that you want to restrict access to, run a quick check to see if a particular session variable is set. If it isn't, redirect them to somewhere else.

Then as part of the process they need to go through to access the page you just set the session variable at the approriate time (i.e. when the process is complete)
David FavorLinux/LXD/WordPress/Hosting SavantCommented:
Two ways.

On is suggested above, a simple URL rewrite + based on your question about PHP, maybe you're trying to block this at the browser level somehow.

You can do this + this will require Javascript to run at the browser level to trap realtime keystrokes + do rewriting.

Best for you to give a practical example of both source + target URL + exactly what you're trying to accomplish.

Likely someone can provide you with a solution.
Learn SQL Server Core 2016

This course will introduce you to SQL Server Core 2016, as well as teach you about SSMS, data tools, installation, server configuration, using Management Studio, and writing and executing queries.

Dave BaldwinFixer of ProblemsCommented:
I have done that based on $_SESSION variables that are set during the process.  If they don't have the correct data set up, then redirect them to the beginning of the process with a 'header' statement.
Black SulfurAuthor Commented:
I recall posting an answer but it didn't seem to actually post here! Argh.

Anyway, I will explain again. If the user goes to checkout and they checkout via credit card, I set a session variable there and then they are redirected to the 3rd party payment gateway in the same window. Once they enter their card details and the transaction is successful, they are redirected to a success page on the actual ecommerce website where I use the initially set session variable to send an email and update the database. This all works fine.

However, if the user goes to the payment gateway and then goes back in the browser, the session variable is still set. If they then just type in the success url the transaction actually processes and the database updates as if they purchase was successful. This obviously should not happen.

In this instance, the session variable IS set so they won't be redirected. I did take a wild guess and try something though which was also to check if there was a POST request. It seems that doing that has resolved the issue. So, I am checking if they are A. logged in, B. the session variable is set and C. was it a post request that took them to the success url.

This of course all assumes that the user knows what the success url is but it isn't hard to figure out because all you have to do is perform one successful transaction and you can see the success url.
Chris StanyonWebDevCommented:
Right. All payment gateways will have their own methods for making a callback to the originating server (i.e. your site), so you would need to read through their API documentation.

Generally, you POST data to the Gateway, and when the process is complete, they POST data back to your server and that data will contain all the relevant information needed for you to handle the results (success / failure etc.). This data will contain an ID of some kind (probably matching an ID that you originally passed to the gateway in the first place). You may have stored this in the session or the DB, so you would then just check the value you've stored against the value that was POSTed back. There are different ways of packaging this data, which is why you need to read the API docs.

Most gateways will send and receive the data in an encrypted package (you encrypt your data to send it using your secret password and then decrypt the data received back, again using the secret password).

The bottom line is that the callback URL should be checking the data that was POSTed to it. If no data was posted, or specific parts of the data don't check out, then you don't process it - this way if a user simply types in, or visits the success (callback) URL, you know it's not genuine.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Black SulfurAuthor Commented:
I read the teeny tiny callback section of the documentation which is extremely vague and not very helpful as they give a one line general example only in classic ASP. But it can be done. I guess Will have to call support and speak to a human who will hopefully be more helpful than their integration guide! Thanks for the answers.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.