httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jacob Coby" <jc...@listingbook.com>
Subject Re: [users@httpd] Display Domain Only?
Date Tue, 26 Nov 2002 18:32:56 GMT
> On Tue, 26 Nov 2002, Matias Silva wrote:
> > I agree that complete url access is invaluable to public sites, but I'm
> > working on a site that interacts with our software product.  This site
> > would be limited to a certain group of users.  Sometimes our users
> > can get some crazy ideas by possibly inserting data into the url (we all
> > have done it) ....
>
> The obvious solution would be to switch from get to post for your form
> method.

Another option would be to use a server-side language, and have it parse the
headers and return data based on them, instead of the url.

You could combine it with mod_ssl and mod_auth to make sure that only people
using your application can access the data.  This all assumes your app is a
binary, not a web-app.

You could also make all file retrievals go through a server-side script, and
have that script do verification based on an uid and a file request.  if you
don't get both right (the uid has to match the uid for the requested file),
you don't get the file.  Minor security, but it prevents randomly finding
information about your site, assuming that the uid is not obtainable from
the filename.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message