Re: avoid user direct accec *.html
Hello Craig Sanders <cas@taz.net.au>,
I was considering to put static files outsides documentroot, however,
I'm afraid it will add the directory complexity.
And you said a real authentication method could useful. How?
Since they are just static files, I can't embed authentication in them,
right?
On Tue, 30 Apr 2002 14:07:21 +1000
Craig Sanders <cas@taz.net.au> wrote:
> On Tue, Apr 30, 2002 at 02:12:03AM +0800, Patrick Hsieh wrote:
> > If I want to avoid user to directly access my .html files, say type
> > the complete url in the browser, is it possible?
> >
> > In PHP, I can check the HTTP_REFERER to make sure connections
> > originates from the same website. If the HTTP_REFERER is empty or not
> > belongs to the same website, I can redirect the client to another
> > webpage. However, when it comes to static .html or even .jpg files, is
> > it possible to configure apache to avoid that situation?
>
> no.
>
> you can't trust user-supplied data such as HTTP_REFERER for anything.
>
> "security" based on HTTP_REFERER is as dumb as "security" based on IP
> address. it doesn't work, and it can't work (sorry, but "sort of works
> sometimes in conditions completely outside of my control" does not
> qualify as "works").
>
> some browsers don't provide HTTP_REFERER, and some privacy-enhancing
> proxies strip it from all requests. in addition, it is trivially easy
> for anyone to forge HTTP_REFERER in any request.
>
>
> if you don't want static html (or any other file type) to be directly
> fetchable by end-users then don't put them under your document root.
>
> alternatively, use a real authentication method to restrict access.
>
> craig
>
> --
> craig sanders <cas@taz.net.au>
>
> Fabricati Diem, PVNC.
> -- motto of the Ankh-Morpork City Watch
--
Patrick Hsieh <pahud@pahud.net>
GPG public key http://pahud.net/pubkeys/pahudatpahud.gpg
--
To UNSUBSCRIBE, email to debian-isp-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: