[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: avoid user direct accec *.html

Hello Craig Sanders <cas@taz.net.au>,

I was considering to put static files outsides documentroot, however,
I'm afraid it will add the directory complexity.

And you said a real authentication method could useful. How?
Since they are just static files, I can't embed authentication in them,

On Tue, 30 Apr 2002 14:07:21 +1000
Craig Sanders <cas@taz.net.au> wrote:

> On Tue, Apr 30, 2002 at 02:12:03AM +0800, Patrick Hsieh wrote:
> > If I want to avoid user to directly access my .html files, say type
> > the complete url in the browser, is it possible?
> > 
> > In PHP, I can check the HTTP_REFERER to make sure connections
> > originates from the same website. If the HTTP_REFERER is empty or not
> > belongs to the same website, I can redirect the client to another
> > webpage. However, when it comes to static .html or even .jpg files, is
> > it possible to configure apache to avoid that situation?
> no.
> you can't trust user-supplied data such as HTTP_REFERER for anything.
> "security" based on HTTP_REFERER is as dumb as "security" based on IP
> address.  it doesn't work, and it can't work (sorry, but "sort of works
> sometimes in conditions completely outside of my control" does not
> qualify as "works").
> some browsers don't provide HTTP_REFERER, and some privacy-enhancing
> proxies strip it from all requests.  in addition, it is trivially easy
> for anyone to forge HTTP_REFERER in any request.
> if you don't want static html (or any other file type) to be directly
> fetchable by end-users then don't put them under your document root.
> alternatively, use a real authentication method to restrict access.
> craig
> -- 
> craig sanders <cas@taz.net.au>
> Fabricati Diem, PVNC.
>  -- motto of the Ankh-Morpork City Watch

Patrick Hsieh <pahud@pahud.net>
GPG public key http://pahud.net/pubkeys/pahudatpahud.gpg

To UNSUBSCRIBE, email to debian-isp-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: