|
|
Posted by Rik on 03/15/07 08:33
Nosferatum <John.Olav.O@gmail.com> wrote:
> On 15 Mar, 08:27, Rik <luiheidsgoe...@hotmail.com> wrote:
>> Nosferatum <John.Ola...@gmail.com> wrote:
>> > I am in need of a solution on how to solve this problem:
>>
>> > I need to limit access to six different folders. My users are
>> > validated in a system which check their prescence with a couple of
>> > variables in a db and then forwards them if they exist. Based upoen=
>> > their status they are redirected to one of six folders.
>> > Users belonging to group A shall get access to folder A, but not B,=
C
>> > etc. It must be possible to limit access in this order by referrer,=
>> > but I really don't knwo how to do this. Perhaps in a combination wi=
th
>> > a .htaccess file?
>> > Right now it's not a big deal for for.example users from group C to=
>> > explore the folders belonging to group A,B,D etc. And that's my big=
>> > problem, since each folder should be accessible to ONLY one group.
>>
>> Do _NOT_ use referer for this. If there's something that is easily =
>> forged
>> it's that.
>
> But I thought that limiting one special url as referrer and deny
> everybody else in .htaccess in the target folder was the most secure
> way to solve this?
> Like:
>
> Options +FollowSymLinks
> RewriteEngine on
> RewriteCond %{HTTP_REFERER} !^http://(www\.)?my-domain-here.com/the-
> folder/the-only-allowed-page.php [NC]
> RewriteRule (.*) http://www.my-domain-here.com/path/to/redirect/
No, it isn't. I can still access that page directly without ever being o=
n =
'the-only-allowed-page.php'. The 'referer' is just a header browsers may=
=
or may not send (I usually don't send one, and many firewalls block it),=
=
with arbitrary data the current UA deems fit for it. Fun for statistics =
=
(allthough there is something called referer-spam), totally unsuited for=
=
security.
If you want this for security, you might as well ask a user directly:'Ar=
e =
you a registered user (yes/no)?', and trust their answer without questio=
n.
To give you an example:
$handle =3D fsockopen('www.example.com',80);
$request =3D "GET /your/secured/folder/ HTTP/1.1\r\nHost: =
www.example.com\r\nReferer: =
http://www.example.com/i/just/claim/to/have/been/here.phpr\nConnection: =
=
close\r\n\r\n";
fwrite($handle,$request);
while (!feof($handle)) {
echo fgets($handle);
}
-- =
Rik Wasmus
Posted on Usenet, not any forum you might see this in.
Ask Smart Questions: http://tinyurl.com/anel
[Back to original message]
|