httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joshua Slive <jsl...@gmail.com>
Subject Re: [users@httpd] Restricting page access
Date Thu, 10 Mar 2005 20:17:50 GMT
On Thu, 10 Mar 2005 12:03:50 -0800, Richard Crawford
<rcrawford@unexmail.ucdavis.edu> wrote:
> PMilanese@nypl.org wrote:
> > This is not safe anyhow. Many browsers/users have the ability to fake the
> > referrer, or leave it out. This means that if those users try to access
> > your site, they will have a problem. It is not problem free, even if you
> > get it working.
> 
> Yeah, I'm discovering that based on some research that I've been doing.
>   I'd still like to implement a solution along these lines, assuming
> that the vast majority of our users are not sophisticated enough to be
> able to spoof the referer.
> 
> What I'd like to be able to do is find a way to prevent any page in our
> site from being viewed without authentication.  For our CF pages, this
> is easy enough to implement with standard CF coding at the top of each
> page.  Our authentication resides in a database, though, and I don't
> want to have to implement additional authentication using an .htaccess
> file.  I'm sure that this is possible, since I know we're not the first
> ones to come up against this problem. Unfortunately, the guy who set
> this site up in the first place didn't account for this situation, and
> I'm just the temp they hired to make it all work.  8-0)

Don't rely on referer for this, unless you really don't care about
security.  Most sites that don't want to use http basic or digest auth
will manage the sessions themselves using cookies.  For this, all
pages indeed need to be handled by the same engine that controls the
session cookies.

You can, however, have apache manage the session cookies once they
have been set, and therefore avoid needing to go through your CF pages
all the time.  One module that does this is mod_auth_cookie:
http://raburton.lunarpages.com/apache/mod_auth_cookie/

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message