PMilanese@xxxxxxxx wrote:
This is not safe anyhow. Many browsers/users have the ability to fake the referrer, or leave it out. This means that if those users try to access your site, they will have a problem. It is not problem free, even if youget it working.
Yeah, I'm discovering that based on some research that I've been doing. I'd still like to implement a solution along these lines, assuming that the vast majority of our users are not sophisticated enough to be able to spoof the referer.
What I'd like to be able to do is find a way to prevent any page in our site from being viewed without authentication. For our CF pages, this is easy enough to implement with standard CF coding at the top of each page. Our authentication resides in a database, though, and I don't want to have to implement additional authentication using an .htaccess file. I'm sure that this is possible, since I know we're not the first ones to come up against this problem. Unfortunately, the guy who set this site up in the first place didn't account for this situation, and I'm just the temp they hired to make it all work. 8-0)
-----Original Message----- From: rcrawford@xxxxxxxxxxxxxxxxxxxx [mailto:rcrawford@xxxxxxxxxxxxxxxxxxxx] Sent: Thursday, March 10, 2005 1:12 PM To: sitz@xxxxxxxxxxxx Cc: users@xxxxxxxxxxxxxxxx Subject: Re: [users@httpd] Restricting page access Noah wrote:On Wed, Mar 09, 2005 at 02:54:54PM -0800, Richard Crawford wrote:I tried adapting the solution from the _Apache Cookbook_ that preventslinkingof local images by remote sites, but that didn't seem to do the trick. Here is the .htaccess file that I created: <FilesMatch "\.pdf$"> SetEnvNoCase Referer "^http://outsite.edu"; local_referer=1 Order Deny,Allow Allow from env=local_referer </FilesMatch>You don't specify a Deny directive here: <FilesMatch "\.pdf$"> SetEnvNoCase Referer "^http://outsite.edu"; local_referer=1 Order deny,allow Deny from all Allow from env=local_referer </FilesMatch>Thanks for the tip. It's still not working, but I think I know why; it has to do with the JRun configuration, and not Apache. -- Richard S. Crawford Programmer III UC Davis Extension Distance Education Group (http://unexdlc.ucdavis.edu) 2901 K Street, Suite 200C Sacramento, CA 95816 (916)327-7793 --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP ServerProject.See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx--------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
-- Richard S. Crawford Programmer III UC Davis Extension Distance Education Group (http://unexdlc.ucdavis.edu) 2901 K Street, Suite 200C Sacramento, CA 95816 (916)327-7793 --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|