Return-Path: Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 44221 invoked by uid 500); 23 Sep 2002 22:06:05 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: list-post: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 44209 invoked from network); 23 Sep 2002 22:06:05 -0000 Received: from tomts5.bellnexxia.net (HELO tomts5-srv.bellnexxia.net) (209.226.175.25) by daedalus.apache.org with SMTP; 23 Sep 2002 22:06:05 -0000 Received: from slive.ca ([65.94.7.112]) by tomts5-srv.bellnexxia.net (InterMail vM.5.01.04.19 201-253-122-122-119-20020516) with ESMTP id <20020923220610.HQKS20369.tomts5-srv.bellnexxia.net@slive.ca>; Mon, 23 Sep 2002 18:06:10 -0400 Message-ID: <3D8F9052.5080003@slive.ca> Date: Mon, 23 Sep 2002 18:06:10 -0400 From: Joshua Slive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.1) Gecko/20020826 X-Accept-Language: en-us, en, fr MIME-Version: 1.0 To: tonydeng@sbcglobal.net, users@httpd.apache.org References: <000a01c2634b$036eb840$0a01a8c0@unknown> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N Subject: [users@httpd] Re: how do i control access? [Directing this back to the mailing list. It is not really polite of me to send a private email to a mailing list, but then again, it is not really polite to take a mailing list discussion and needlessly turn it private, so I guess we're even.] tonydeng@sbcglobal.net wrote: > If its not a very good idea using the referer, what do you suggest? > > I have a server, and there is another server totally independent from mine. > Their server has their own authentication system in place. However, I only > want the people who has already been authenticated from their server have > complete access to my server. Everyone else, except from a few domains, will > not have any access. I have no access to any of their user accounts or > passwords. How would I go about allowing their users access without having > to recreate every account or make my server part of their servers? This is a difficult problem. Just look at the hoops that MS Passport makes your browser go through before you can access hotmail (redirect, ssl, redirect, redirect, cookie, javascript, redirect, etc). In general, you can use some cryptographically strong magic number in the URL (that must change for each user), or you can do funky things with embedding a cookie in an image that is served from your site but referenced from a page on their site (but some browsers will not allow this). But none of this will not be easy to setup. Perhaps others on the list have simpler ideas. If you just want to prevent the casual browser from easily getting to your site without going through the other site, then referer blocking is fine. But it is not real security. Anyone with five minutes on their hands can easily circumvent it. Joshua. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org