httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joshua Slive <jsl...@gmail.com>
Subject Re: Re[2]: [users@httpd] Help with .htaccess file
Date Thu, 05 Aug 2004 16:04:31 GMT
On Thu, 5 Aug 2004 12:27:06 +0100, Michael Thompson
<mike@thompsonmike.co.uk> wrote:

> > HTTP is, by default, stateless.  There is no concept of having "logged
> > in" one place and therefore gaining access to another place.  The
> > appropriate credentials and checks must be provided on each and every
> > request.  (Many systems get around this by doing the checks once, then
> > providing cookies that the browser must send every time to prove that
> > they are logged in.  Then the system only needs to check the cookies.)
> 
> I knew that, the CMS does indeed validate users, once validated tthey
> get the link to click on. That works just fine, however I wanted to
> stop mr Koe Bloggs from typing in a URL directly outside of the
> systems and having access to the system.

That's where you are still not understanding the paragraph I wrote
above.  There is no such thing as inside or outside the system.  There
are only HTTP requests, each of which look completely independent to
the web server.

So it is not good enough to only restrict the page that provides the
link.  You need the CMS itself to control access to the final
document.  How you do that depends on the details of your CMS, of
course.

You can test the Referer to see if they came from the correct page,
but this is easily forgable, so it does not provide real security.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message