Posted by Roman on 06/16/07 16:19

Jerry Stuckle wrote:
> Nosferatum wrote:
>> Hi, on my Apache server I want to limit access to a certain file ouput
>> (from php/MySQL) to just one IP. The idea is that users from another
>> site should click a link whic redirects them to my special page on my
>> server. Only those who access my page from one particulary URL are
>> allowed to see my file. All others are denied.
>> Is it possible to solve this with a .htaccess file, or do I need a php
>> solution?
>>
>
> You can't do it at all. HTTP_REFERER can be faked or may not be sent,
> for instance.

How important is it for anyone to go into trouble to fake it? If OP is
trying to protect a million bucks, hackers will go to great extent to
fake it. If he is simply showing or not showing his email address,
spammers are not going to bother hacking his site to get one more ;)

>
> You theoretically do something like have a parameter you pass with the
> request; it would change once a minute and would only be good for 90
> seconds or so. But you'd have to keep the two systems in sync.
>
> Or you could generate a list parameters and make each one good only
> once. But you'll have to maintain potentially long lists, and the more
> items in the list the better chance of having someone find it. But if
> the parameter string is long enough, it won't happen.
>
> A couple of ideas, anyway.
>

Or generate a random but verifiable code that will be sent as a script
parameter in the URL. If he embeds a rolling code with little tolerance,
the link will expire.

Or have a forwarding website contact the receiving website via
webservice informing it about the incoming visitor.


Or combine these two methods and generate random expirable code that
will be first communicated to receiving website and then passed as
session ID inside the URI.

[Back to original message]