HTML and Script esoterica... Help?
Mar. 9th, 2006 07:08 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
altivoOK, someone out there is undoubtedly a lot more versed in HTML and scripting than I am.
Here's what I've got:
Here's why: The vendor wants the HTTP_REFERER environment variable to be a known value, always the same, that they can check to show that the access is validated. They do NOT want the user to know what URL they have been linked to when they gain access.
I know how to meet one or the other of those requirements, but not both at the same time. If I use a script to validate the user's access, and then link them to the right URL by using "Location" or "Refresh" the HTTP_REFERER comes up blank at the destination. If I use the script to send the user to a confirmation page and ask them to click a button or link to get to the target, HTTP_REFERER is set and valid but the user can easily figure out the direct URL to link to,
Now theoretically, even knowing the "secret" URL does no good because HTTP_REFERER can't be set to an arbitrary value. Or can it? If it can, someone knowing the URL and the referring location can gain access to the data illicitly. If it can't, then it doesn't seem to matter if the target URL is discoverable.
Or is there a solution to this problem that I'm not seeing? I think some of you may well know.![[livejournal.com profile]](https://www.dreamwidth.org/img/external/lj-userinfo.gif)
bariki? hellmutt?
Here's what I've got:
- Database vendor provides me with a "secret" URL to link to that gives access to a databank to which the library has subscribed.
- I provide vendor with the range of IP addresses used by machines in the library, and they guarantee open access to the data from those addresses.
- They also offer to let the library's "legitimate users" have access from other locations, provided that we validate them by passwords or something first.
- I can validate them by checking their 14-digit library card number, and have already done so for other applications. Simple, no? No!
Here's why: The vendor wants the HTTP_REFERER environment variable to be a known value, always the same, that they can check to show that the access is validated. They do NOT want the user to know what URL they have been linked to when they gain access.
I know how to meet one or the other of those requirements, but not both at the same time. If I use a script to validate the user's access, and then link them to the right URL by using "Location" or "Refresh" the HTTP_REFERER comes up blank at the destination. If I use the script to send the user to a confirmation page and ask them to click a button or link to get to the target, HTTP_REFERER is set and valid but the user can easily figure out the direct URL to link to,
Now theoretically, even knowing the "secret" URL does no good because HTTP_REFERER can't be set to an arbitrary value. Or can it? If it can, someone knowing the URL and the referring location can gain access to the data illicitly. If it can't, then it doesn't seem to matter if the target URL is discoverable.
Or is there a solution to this problem that I'm not seeing? I think some of you may well know.
bariki? hellmutt?
