Hello Craig Sanders <[EMAIL PROTECTED]>, I was considering to put static files outsides documentroot, however, I'm afraid it will add the directory complexity.
And you said a real authentication method could useful. How? Since they are just static files, I can't embed authentication in them, right? On Tue, 30 Apr 2002 14:07:21 +1000 Craig Sanders <[EMAIL PROTECTED]> wrote: > On Tue, Apr 30, 2002 at 02:12:03AM +0800, Patrick Hsieh wrote: > > If I want to avoid user to directly access my .html files, say type > > the complete url in the browser, is it possible? > > > > In PHP, I can check the HTTP_REFERER to make sure connections > > originates from the same website. If the HTTP_REFERER is empty or not > > belongs to the same website, I can redirect the client to another > > webpage. However, when it comes to static .html or even .jpg files, is > > it possible to configure apache to avoid that situation? > > no. > > you can't trust user-supplied data such as HTTP_REFERER for anything. > > "security" based on HTTP_REFERER is as dumb as "security" based on IP > address. it doesn't work, and it can't work (sorry, but "sort of works > sometimes in conditions completely outside of my control" does not > qualify as "works"). > > some browsers don't provide HTTP_REFERER, and some privacy-enhancing > proxies strip it from all requests. in addition, it is trivially easy > for anyone to forge HTTP_REFERER in any request. > > > if you don't want static html (or any other file type) to be directly > fetchable by end-users then don't put them under your document root. > > alternatively, use a real authentication method to restrict access. > > craig > > -- > craig sanders <[EMAIL PROTECTED]> > > Fabricati Diem, PVNC. > -- motto of the Ankh-Morpork City Watch -- Patrick Hsieh <[EMAIL PROTECTED]> GPG public key http://pahud.net/pubkeys/pahudatpahud.gpg -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
