On Thu, 10 Mar 2005 12:03:50 -0800, Richard Crawford <rcrawford@xxxxxxxxxxxxxxxxxxxx> wrote: > PMilanese@xxxxxxxx wrote: > > This is not safe anyhow. Many browsers/users have the ability to fake the > > referrer, or leave it out. This means that if those users try to access > > your site, they will have a problem. It is not problem free, even if you > > get it working. > > Yeah, I'm discovering that based on some research that I've been doing. > I'd still like to implement a solution along these lines, assuming > that the vast majority of our users are not sophisticated enough to be > able to spoof the referer. > > What I'd like to be able to do is find a way to prevent any page in our > site from being viewed without authentication. For our CF pages, this > is easy enough to implement with standard CF coding at the top of each > page. Our authentication resides in a database, though, and I don't > want to have to implement additional authentication using an .htaccess > file. I'm sure that this is possible, since I know we're not the first > ones to come up against this problem. Unfortunately, the guy who set > this site up in the first place didn't account for this situation, and > I'm just the temp they hired to make it all work. 8-0) Don't rely on referer for this, unless you really don't care about security. Most sites that don't want to use http basic or digest auth will manage the sessions themselves using cookies. For this, all pages indeed need to be handled by the same engine that controls the session cookies. You can, however, have apache manage the session cookies once they have been set, and therefore avoid needing to go through your CF pages all the time. One module that does this is mod_auth_cookie: http://raburton.lunarpages.com/apache/mod_auth_cookie/ Joshua. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|