|
|
Posted by Nosferatum on 03/15/07 08:42
On 15 Mar, 09:33, Rik <luiheidsgoe...@hotmail.com> wrote:
> Nosferatum <John.Ola...@gmail.com> wrote:
> > On 15 Mar, 08:27, Rik <luiheidsgoe...@hotmail.com> wrote:
> >> Nosferatum <John.Ola...@gmail.com> wrote:
> >> > I am in need of a solution on how to solve this problem:
>
> >> > I need to limit access to six different folders. My users are
> >> > validated in a system which check their prescence with a couple of
> >> > variables in a db and then forwards them if they exist. Based upoen
> >> > their status they are redirected to one of six folders.
> >> > Users belonging to group A shall get access to folder A, but not B, C
> >> > etc. It must be possible to limit access in this order by referrer,
> >> > but I really don't knwo how to do this. Perhaps in a combination with
> >> > a .htaccess file?
> >> > Right now it's not a big deal for for.example users from group C to
> >> > explore the folders belonging to group A,B,D etc. And that's my big
> >> > problem, since each folder should be accessible to ONLY one group.
>
> >> Do _NOT_ use referer for this. If there's something that is easily
> >> forged
> >> it's that.
>
> > But I thought that limiting one special url as referrer and deny
> > everybody else in .htaccess in the target folder was the most secure
> > way to solve this?
> > Like:
>
> > Options +FollowSymLinks
> > RewriteEngine on
> > RewriteCond %{HTTP_REFERER} !^http://(www\.)?my-domain-here.com/the-
> > folder/the-only-allowed-page.php [NC]
> > RewriteRule (.*)http://www.my-domain-here.com/path/to/redirect/
>
> No, it isn't. I can still access that page directly without ever being on
> 'the-only-allowed-page.php'. The 'referer' is just a header browsers may
> or may not send (I usually don't send one, and many firewalls block it),
> with arbitrary data the current UA deems fit for it. Fun for statistics
> (allthough there is something called referer-spam), totally unsuited for
> security.
>
> If you want this for security, you might as well ask a user directly:'Are
> you a registered user (yes/no)?', and trust their answer without question.
>
> To give you an example:
> $handle = fsockopen('www.example.com',80);
> $request = "GET /your/secured/folder/ HTTP/1.1\r\nHost: www.example.com\r\nReferer: http://www.example.com/i/just/claim/to/have/been/here.phpr\nConnection:
> close\r\n\r\n";
> fwrite($handle,$request);
> while (!feof($handle)) {
> echo fgets($handle);}
>
> --
> Rik Wasmus
> Posted on Usenet, not any forum you might see this in.
> Ask Smart Questions:http://tinyurl.com/anel- Skjul sitert tekst -
>
> - Vis sitert tekst -
Oh, I get your point. Thanks for stopping me from doing something
really stupid... :-) (*blush*)
I have to learn how to use sessions.
By the way: Is it advicable to add a session unregister event upon
page leave, or timeout?
Navigation:
[Reply to this message]
|