Re: avoid user direct accec *.html

To: debian-isp@lists.debian.org
Subject: Re: avoid user direct accec *.html
From: Bulent Murtezaoglu <bm@acm.org>
Date: Mon, 29 Apr 2002 23:09:19 -0400 (EDT)
Message-id: <[🔎] 15566.2783.126879.595498@nkapi.internal>
In-reply-to: <[🔎] 20020430020837.01DF.PAHUD@pahud.net>
References: <[🔎] 20020429114711.7332.PAHUD@pahud.net> <[🔎] Pine.LNX.4.43.0204290905360.11722-100000@apollo.linuxbox.private.nu> <[🔎] 20020430020837.01DF.PAHUD@pahud.net>

>>>>> "PH" == Patrick Hsieh <pahud@pahud.net> writes:
[...]
    PH> In PHP, I can check the HTTP_REFERER to make sure connections
    PH> originates from the same website. If the HTTP_REFERER is empty
    PH> or not belongs to the same website, I can redirect the client
    PH> to another webpage. [...]

Please do NOT do this.  It will seem to work most of the time, but it
will most certainly fail for perfectly valid requests.  Both HTTP 1.0
and 1.1 leave it as optional.  If you must control access in this
manner I'd say use some session mechanism or come up with a method
that doesn't break under perfectly valid client behaviour.  

cheers,

BM


-- 
To UNSUBSCRIBE, email to debian-isp-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

References:
- avoid user direct accec *.html
  - From: Patrick Hsieh <pahud@pahud.net>
- Re: avoid user direct accec *.html
  - From: "Arthur H. Johnson II" <arthur@linuxbox.nu>
- Re: avoid user direct accec *.html
  - From: Patrick Hsieh <pahud@pahud.net>

Prev by Date: A Linux version of system and network monitoring?
Next by Date: Re: avoid user direct accec *.html
Previous by thread: Re: avoid user direct accec *.html
Next by thread: Re: avoid user direct accec *.html
Index(es):
- Date
- Thread