> the match strings are wrong, should be !^http://....$
Thanks Walter, I tried your suggestion but get the same result. I inherited this site from another company and I've already let my users know that it's an insecure way of doing it and demonstrated with a simple Chrome extension how easy it is to bypass. Is there another way to do this?
Brad
-----Original Message-----
From: Walter H. [mailto:Walter.H@xxxxxxxxxxxxxxxxx]
Sent: Wednesday, June 04, 2014 7:12 AM
To: users@xxxxxxxxxxxxxxxx
Subject: Re: [users] Only allow access from specific domains?
On 03.06.2014 21:05, Brad Harris wrote:
> I've been trying to configure a website to send a 403 forbidden error unless the user comes from a specific website/domain, which is a logon page hosted on another server.
Design error, because, the Referer is fakeable and makes the logon page
not neccessary ...
> RewriteEngine On
> # this is the domain hosting the login page
> RewriteCond %{HTTP_REFERER} !logon_domain.com [NC]
> # this is the domain hosting the WordPress site
> RewriteCond %{HTTP_REFERER} !wordpress_site.com [NC]
> RewriteRule .* - [F]
> ErrorDocument 403 http://logon_domain.com/Login.aspx
>
> The last line of my rewrite error log:
> forcing responsecode 403 for /var/www/html/...
>
the match strings are wrong, should be !^http://....$
Walter
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|