Re: avoid user direct accec *.html
Hello Craig Sanders <email@example.com>,
I was considering to put static files outsides documentroot, however,
I'm afraid it will add the directory complexity.
And you said a real authentication method could useful. How?
Since they are just static files, I can't embed authentication in them,
On Tue, 30 Apr 2002 14:07:21 +1000
Craig Sanders <firstname.lastname@example.org> wrote:
> On Tue, Apr 30, 2002 at 02:12:03AM +0800, Patrick Hsieh wrote:
> > If I want to avoid user to directly access my .html files, say type
> > the complete url in the browser, is it possible?
> > In PHP, I can check the HTTP_REFERER to make sure connections
> > originates from the same website. If the HTTP_REFERER is empty or not
> > belongs to the same website, I can redirect the client to another
> > webpage. However, when it comes to static .html or even .jpg files, is
> > it possible to configure apache to avoid that situation?
> you can't trust user-supplied data such as HTTP_REFERER for anything.
> "security" based on HTTP_REFERER is as dumb as "security" based on IP
> address. it doesn't work, and it can't work (sorry, but "sort of works
> sometimes in conditions completely outside of my control" does not
> qualify as "works").
> some browsers don't provide HTTP_REFERER, and some privacy-enhancing
> proxies strip it from all requests. in addition, it is trivially easy
> for anyone to forge HTTP_REFERER in any request.
> if you don't want static html (or any other file type) to be directly
> fetchable by end-users then don't put them under your document root.
> alternatively, use a real authentication method to restrict access.
> craig sanders <email@example.com>
> Fabricati Diem, PVNC.
> -- motto of the Ankh-Morpork City Watch
Patrick Hsieh <firstname.lastname@example.org>
GPG public key http://pahud.net/pubkeys/pahudatpahud.gpg
To UNSUBSCRIBE, email to email@example.com
with a subject of "unsubscribe". Trouble? Contact firstname.lastname@example.org