[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: avoid user direct accec *.html

>>>>> "PH" == Patrick Hsieh <pahud@pahud.net> writes:
    PH> In PHP, I can check the HTTP_REFERER to make sure connections
    PH> originates from the same website. If the HTTP_REFERER is empty
    PH> or not belongs to the same website, I can redirect the client
    PH> to another webpage. [...]

Please do NOT do this.  It will seem to work most of the time, but it
will most certainly fail for perfectly valid requests.  Both HTTP 1.0
and 1.1 leave it as optional.  If you must control access in this
manner I'd say use some session mechanism or come up with a method
that doesn't break under perfectly valid client behaviour.  



To UNSUBSCRIBE, email to debian-isp-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: