[PHP] Referring URL Authentication
The situation is as follows: I wish to protect the entire Website http://www.example.com from direct URL access. i.e. if someone enters http://www.example.com into their browser they get a message stating that they are not authorised to access the site. The only way to access http://www.example.com should be to log into a second site http://www.intranet.com and follow a link from within to http://www.example.com. The problem: I initially thought I should use the predefined PHP variable $_SERVER['HTTP_REFERER'], but the PHP website explains that this cannot really be trusted (http://uk2.php.net/manual/en/reserved.variables.php). Next I thought about HTTP authentication. If I password protect the the Website using .htaccess and .htpasswd as follows: Code: AuthName Login to access the Website AuthType Basic AuthUserFile /var/www/vhosts/example.com/httpdocs/.htpasswd Require user username Then my link within http://www.intranet.com could simply be: Code: a href=http://username:[EMAIL PROTECTED]Link to example.com/a However this doesn't seem secure. The username and password are visible to anyone who views the source of the page with the link. Also as these are not encrypted is it not possible for them to be intercepted? I could of course write my own authentication code on http://www.example.com and pass a variable via a GET or POST from http://www.intranet.com, which would cause a login and a cookie to be set there. But this is basically the same as above and still seems insecure! Is there a better/standard way to do this kind of thing? Any help will be most appreciated, Matthew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Referring URL Authentication
On 3/14/07, Matthew Vickery [EMAIL PROTECTED] wrote: The situation is as follows: I wish to protect the entire Website http://www.example.com from direct URL access. i.e. if someone enters http://www.example.com into their browser they get a message stating that they are not authorised to access the site. The only way to access http://www.example.com should be to log into a second site http://www.intranet.com and follow a link from within to http://www.example.com. The problem: I initially thought I should use the predefined PHP variable $_SERVER['HTTP_REFERER'], but the PHP website explains that this cannot really be trusted (http://uk2.php.net/manual/en/reserved.variables.php). Next I thought about HTTP authentication. If I password protect the the Website using .htaccess and .htpasswd as follows: Code: AuthName Login to access the Website AuthType Basic AuthUserFile /var/www/vhosts/example.com/httpdocs/.htpasswd Require user username Then my link within http://www.intranet.com could simply be: Code: a href=http://username:[EMAIL PROTECTED]Link to example.com/a However this doesn't seem secure. The username and password are visible to anyone who views the source of the page with the link. Also as these are not encrypted is it not possible for them to be intercepted? I could of course write my own authentication code on http://www.example.com and pass a variable via a GET or POST from http://www.intranet.com, which would cause a login and a cookie to be set there. But this is basically the same as above and still seems insecure! Is there a better/standard way to do this kind of thing? Any help will be most appreciated, Matthew I don't know about a standard way of doing this, and the biggest part of this problem is on the users side, the side that you cannot change with a PHP code. AFAIK browsers as IE, FireFox and Mozilla just set the referer header fine, but some other silly browsers might not, and thereby might not be able to access your protected site. Also, this is quite easy to hack, as some browsers even support defining what referer to use. But i see you really care that a user is authenticated, so a login system is recommended. .htaccess files would do the job sometimes, but not always, so i think you'd be better off using cookies/sessions. Tijnema -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Referring URL Authentication
On Wed, 2007-03-14 at 14:50 +, Matthew Vickery wrote: The situation is as follows: I wish to protect the entire Website http://www.example.com from direct URL access. i.e. if someone enters http://www.example.com into their browser they get a message stating that they are not authorised to access the site. The only way to access http://www.example.com should be to log into a second site http://www.intranet.com and follow a link from within to http://www.example.com. The problem: I initially thought I should use the predefined PHP variable $_SERVER['HTTP_REFERER'], but the PHP website explains that this cannot really be trusted (http://uk2.php.net/manual/en/reserved.variables.php). Next I thought about HTTP authentication. If I password protect the the Website using .htaccess and .htpasswd as follows: Code: AuthName Login to access the Website AuthType Basic AuthUserFile /var/www/vhosts/example.com/httpdocs/.htpasswd Require user username Then my link within http://www.intranet.com could simply be: Code: a href=http://username:[EMAIL PROTECTED]Link to example.com/a However this doesn't seem secure. The username and password are visible to anyone who views the source of the page with the link. Also as these are not encrypted is it not possible for them to be intercepted? I could of course write my own authentication code on http://www.example.com and pass a variable via a GET or POST from http://www.intranet.com, which would cause a login and a cookie to be set there. But this is basically the same as above and still seems insecure! Is there a better/standard way to do this kind of thing? So you want a user who has authenticated on domain A to be able to transparently transfer to domain B? Do they share a common database? Do you have scripting access to both systems? Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Referring URL Authentication
-Message d'origine- De : Robert Cummings [mailto:[EMAIL PROTECTED] Envoyé : mercredi 14 mars 2007 16:13 À : Matthew Vickery Cc : php-general@lists.php.net Objet : Re: [PHP] Referring URL Authentication On Wed, 2007-03-14 at 14:50 +, Matthew Vickery wrote: The situation is as follows: I wish to protect the entire Website http://www.example.com from direct URL access. i.e. if someone enters http://www.example.com into their browser they get a message stating that they are not authorised to access the site. The only way to access http://www.example.com should be to log into a second site http://www.intranet.com and follow a link from within to http://www.example.com. Are you admin of these machines? If so use firewall rules to filter traffic allowing only your domain to acces it.. And then setup authentication on destination server. You'll save yourself some trouble.. If not, what kind of acces do you have on these servers regarding scripting/.htaccess and server config files? If you can get to apache config files, lookup the Apache directory directives, you should have some hints in their as to how to limit certain hosts, to certain domains.. Regards, Tim Programming is a race between people making better and faster programs and the universe making bigger and dumber people. So far the universe is winning -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Referring URL Authentication
Robert Cummings wrote: On Wed, 2007-03-14 at 14:50 +, Matthew Vickery wrote: The situation is as follows: I wish to protect the entire Website http://www.example.com from direct URL access. i.e. if someone enters http://www.example.com into their browser they get a message stating that they are not authorised to access the site. The only way to access http://www.example.com should be to log into a second site http://www.intranet.com and follow a link from within to http://www.example.com. The problem: I initially thought I should use the predefined PHP variable $_SERVER['HTTP_REFERER'], but the PHP website explains that this cannot really be trusted (http://uk2.php.net/manual/en/reserved.variables.php). Next I thought about HTTP authentication. If I password protect the the Website using .htaccess and .htpasswd as follows: Code: AuthName Login to access the Website AuthType Basic AuthUserFile /var/www/vhosts/example.com/httpdocs/.htpasswd Require user username Then my link within http://www.intranet.com could simply be: Code: a href=http://username:[EMAIL PROTECTED]Link to example.com/a However this doesn't seem secure. The username and password are visible to anyone who views the source of the page with the link. Also as these are not encrypted is it not possible for them to be intercepted? I could of course write my own authentication code on http://www.example.com and pass a variable via a GET or POST from http://www.intranet.com, which would cause a login and a cookie to be set there. But this is basically the same as above and still seems insecure! Is there a better/standard way to do this kind of thing? So you want a user who has authenticated on domain A to be able to transparently transfer to domain B? Do they share a common database? Do you have scripting access to both systems? Cheers, Rob. Hi Rob, Thanks for your reply. Yes, I want a user who has authenticated on domain A to be able to transparently transfer to domain B. No, domains A and B don't share a common database. I only have scripting access to domain B. Basically I am creating a mini-site on my Web server (domain B) that a company needs to access securely via their Intranet (domain A), hopefully without the need to setup an extensive user database and login system on my Web server that will be additional to their Intranet login... I hope this makes thins clearer? Cheers, Matthew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Referring URL Authentication
On Wed, 2007-03-14 at 16:23 +, Matthew Vickery wrote: Robert Cummings wrote: On Wed, 2007-03-14 at 14:50 +, Matthew Vickery wrote: The situation is as follows: I wish to protect the entire Website http://www.example.com from direct URL access. i.e. if someone enters http://www.example.com into their browser they get a message stating that they are not authorised to access the site. The only way to access http://www.example.com should be to log into a second site http://www.intranet.com and follow a link from within to http://www.example.com. The problem: I initially thought I should use the predefined PHP variable $_SERVER['HTTP_REFERER'], but the PHP website explains that this cannot really be trusted (http://uk2.php.net/manual/en/reserved.variables.php). Next I thought about HTTP authentication. If I password protect the the Website using .htaccess and .htpasswd as follows: Code: AuthName Login to access the Website AuthType Basic AuthUserFile /var/www/vhosts/example.com/httpdocs/.htpasswd Require user username Then my link within http://www.intranet.com could simply be: Code: a href=http://username:[EMAIL PROTECTED]Link to example.com/a However this doesn't seem secure. The username and password are visible to anyone who views the source of the page with the link. Also as these are not encrypted is it not possible for them to be intercepted? I could of course write my own authentication code on http://www.example.com and pass a variable via a GET or POST from http://www.intranet.com, which would cause a login and a cookie to be set there. But this is basically the same as above and still seems insecure! Is there a better/standard way to do this kind of thing? So you want a user who has authenticated on domain A to be able to transparently transfer to domain B? Do they share a common database? Do you have scripting access to both systems? Cheers, Rob. Hi Rob, Thanks for your reply. Yes, I want a user who has authenticated on domain A to be able to transparently transfer to domain B. No, domains A and B don't share a common database. I only have scripting access to domain B. Basically I am creating a mini-site on my Web server (domain B) that a company needs to access securely via their Intranet (domain A), hopefully without the need to setup an extensive user database and login system on my Web server that will be additional to their Intranet login... I hope this makes thins clearer? It does... but you have no control. What you want to do can't be done with any certainty about the incoming connection. You need control over A to have any kind of security when transferring to B. Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
