httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joshua Slive <jos...@slive.ca>
Subject [users@httpd] Re: how do i control access?
Date Mon, 23 Sep 2002 22:06:10 GMT
[Directing this back to the mailing list.  It is not really polite of me 
to send a private email to a mailing list, but then again, it is not 
really polite to take a mailing list discussion and needlessly turn it 
private, so I guess we're even.]

tonydeng@sbcglobal.net wrote:
> If its not a very good idea using the referer, what do you suggest?
> 
> I have a server, and there is another server totally independent from mine.
> Their server has their own authentication system in place. However, I only
> want the people who has already been authenticated from their server have
> complete access to my server. Everyone else, except from a few domains, will
> not have any access. I have no access to any of their user accounts or
> passwords. How would I go about allowing their users access without having
> to recreate every account or make my server part of their servers?

This is a difficult problem.  Just look at the hoops that MS Passport 
makes your browser go through before you can access hotmail (redirect, 
ssl, redirect, redirect, cookie, javascript, redirect, etc).

In general, you can use some cryptographically strong magic number in 
the URL (that must change for each user), or you can do funky things 
with embedding a cookie in an image that is served from your site but 
referenced from a page on their site (but some browsers will not allow 
this).  But none of this will not be easy to setup.  Perhaps others on 
the list have simpler ideas.

If you just want to prevent the casual browser from easily getting to 
your site without going through the other site, then referer blocking is 
fine.  But it is not real security.  Anyone with five minutes on their 
hands can easily circumvent it.

Joshua.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message