Re: Referring URL Authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 3/14/07, Matthew Vickery <vickery.matthew@xxxxxxxxx> wrote:
The situation is as follows:
I wish to protect the entire Website http://www.example.com from
direct URL access. i.e. if someone enters http://www.example.com into
their browser they get a message stating that they are not authorised
to access the site.  The only way to access http://www.example.com
should be to log into a second site http://www.intranet.com and follow
a link from within to http://www.example.com.

The problem:
I initially thought I should use the predefined PHP variable
$_SERVER['HTTP_REFERER'], but the PHP website explains that this
"cannot really be trusted"
(http://uk2.php.net/manual/en/reserved.variables.php).

Next I thought about HTTP authentication.  If I password protect the
the Website using .htaccess and .htpasswd as follows:
Code:

AuthName "Login to access the Website"
AuthType Basic
AuthUserFile /var/www/vhosts/example.com/httpdocs/.htpasswd
Require user username


Then my link within http://www.intranet.com could simply be:
Code:

<a href="http://username:password@xxxxxxxxxxxxxxx";>Link to example.com</a>


However this doesn't seem secure.  The username and password are
visible to anyone who views the source of the page with the link.
Also as these are not encrypted is it not possible for them to be
intercepted?

I could of course write my own authentication code on
http://www.example.com and pass a variable via a GET or POST from
http://www.intranet.com, which would cause a login and a cookie to be
set there.  But this is basically the same as above and still seems
insecure!

Is there a better/standard way to do this kind of thing?

Any help will be most appreciated,

Matthew

I don't know about a standard way of doing this, and the biggest part
of this problem is on the users side, the side that you cannot change
with a PHP code.

AFAIK browsers as IE, FireFox and Mozilla just set the referer header
fine, but some other silly browsers might not, and thereby might not
be able to access your protected site. Also, this is quite easy to
hack, as some browsers even support defining what referer to use.

But i see you really care that a user is authenticated, so a login
system is recommended. .htaccess files would do the job sometimes, but
not always, so i think you'd be better off using cookies/sessions.

Tijnema

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux