On 3/14/07, Matthew Vickery <vickery.matthew@xxxxxxxxx> wrote:
The situation is as follows: I wish to protect the entire Website http://www.example.com from direct URL access. i.e. if someone enters http://www.example.com into their browser they get a message stating that they are not authorised to access the site. The only way to access http://www.example.com should be to log into a second site http://www.intranet.com and follow a link from within to http://www.example.com. The problem: I initially thought I should use the predefined PHP variable $_SERVER['HTTP_REFERER'], but the PHP website explains that this "cannot really be trusted" (http://uk2.php.net/manual/en/reserved.variables.php). Next I thought about HTTP authentication. If I password protect the the Website using .htaccess and .htpasswd as follows: Code: AuthName "Login to access the Website" AuthType Basic AuthUserFile /var/www/vhosts/example.com/httpdocs/.htpasswd Require user username Then my link within http://www.intranet.com could simply be: Code: <a href="http://username:password@xxxxxxxxxxxxxxx">Link to example.com</a> However this doesn't seem secure. The username and password are visible to anyone who views the source of the page with the link. Also as these are not encrypted is it not possible for them to be intercepted? I could of course write my own authentication code on http://www.example.com and pass a variable via a GET or POST from http://www.intranet.com, which would cause a login and a cookie to be set there. But this is basically the same as above and still seems insecure! Is there a better/standard way to do this kind of thing? Any help will be most appreciated, Matthew
I don't know about a standard way of doing this, and the biggest part of this problem is on the users side, the side that you cannot change with a PHP code. AFAIK browsers as IE, FireFox and Mozilla just set the referer header fine, but some other silly browsers might not, and thereby might not be able to access your protected site. Also, this is quite easy to hack, as some browsers even support defining what referer to use. But i see you really care that a user is authenticated, so a login system is recommended. .htaccess files would do the job sometimes, but not always, so i think you'd be better off using cookies/sessions. Tijnema
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php