altivo: Blinking Altivo (altivo blink)
[personal profile] altivo
OK, someone out there is undoubtedly a lot more versed in HTML and scripting than I am.

Here's what I've got:

  1. Database vendor provides me with a "secret" URL to link to that gives access to a databank to which the library has subscribed.

  2. I provide vendor with the range of IP addresses used by machines in the library, and they guarantee open access to the data from those addresses.

  3. They also offer to let the library's "legitimate users" have access from other locations, provided that we validate them by passwords or something first.

  4. I can validate them by checking their 14-digit library card number, and have already done so for other applications. Simple, no? No!


Here's why: The vendor wants the HTTP_REFERER environment variable to be a known value, always the same, that they can check to show that the access is validated. They do NOT want the user to know what URL they have been linked to when they gain access.

I know how to meet one or the other of those requirements, but not both at the same time. If I use a script to validate the user's access, and then link them to the right URL by using "Location" or "Refresh" the HTTP_REFERER comes up blank at the destination. If I use the script to send the user to a confirmation page and ask them to click a button or link to get to the target, HTTP_REFERER is set and valid but the user can easily figure out the direct URL to link to,

Now theoretically, even knowing the "secret" URL does no good because HTTP_REFERER can't be set to an arbitrary value. Or can it? If it can, someone knowing the URL and the referring location can gain access to the data illicitly. If it can't, then it doesn't seem to matter if the target URL is discoverable.

Or is there a solution to this problem that I'm not seeing? I think some of you may well know. [livejournal.com profile] bariki? [livejournal.com profile] hellmutt?
(will be screened)
(will be screened if not on Access List)
(will be screened if not on Access List)
If you don't have an account you can create one now.
HTML doesn't work in the subject.
More info about formatting

If you are unable to use this captcha for any reason, please contact us by email at support@dreamwidth.org

November 2024

S M T W T F S
     12
345678 9
10111213141516
17181920212223
24252627282930

Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags
Page generated Feb. 22nd, 2026 11:45 pm
Powered by Dreamwidth Studios