[WEB4LIB] Remote Access via Referral URL?

Thomas Dowling tdowling at ohiolink.edu
Tue Apr 13 15:31:40 EDT 1999 

There are several problems with this.

First, not all browsers send referer URLs; some usually do but can be
configured not to; none are supposed to if the URL is entered by hand, or
possibly from a bookmark; some can easily spoof a referer URL, making your
security easy to breach (not an easy feature to sell to data vendors).

Second, what should the remote site look for after sending back the first
page?  Every page becomes the referer for the next one, so they would have
to allow access to anyone coming from any page you could get to in their
interface, including online help, demos, etc. that may not require
authentication.

Third, this is definitely not built into standard web servers, so this
would require either that the remote site do some major modification to
their server, or serve everything out of a server-side script that can
examine incoming HTTP headers, which could incur a performance hit.


Thomas Dowling
OhioLINK - Ohio Library and Information Network
tdowling at ohiolink.edu


----- Original Message -----
From: Wes Edens <EDENSW at t-bird.edu>
To: Multiple recipients of list <web4lib at webjunction.org>
Sent: Tuesday, April 13, 1999 2:38 PM
Subject: [WEB4LIB] Remote Access via Referral URL?


> My apologies if this question has been covered before--I checked the
archive and that did not seem to be the case.
> Like most libraries, we are struggling with the issue of providing
remote access to our IP-protected, licensed databases (ProQuest, Ebsco,
etc.)  We have experimented with scripted ID's and passwords, and with a
proxy server.  Both were unsatisfactory to us for various reasons I won't
go into now.  To get to the point, we are now looking at access by a
referral (referring?) URL.
> We have a secure intranet for students, faculty, and staff.  If a
database knows the user is coming from a particular URL that is secure,
they should be able to let the user in, right?
> It would seem that there would be some accomodation that the database
provider would have to make, but none for the library or the user, other
than setting up the page on the intranet.
> Is anyone else doing this?  Any pointers?
> Thanks in advance.
>
>
> Wes Edens
> Electronic Resources Librarian
> Thunderbird, the American Graduate School of International Management
> 15249 N 59 Ave
> Glendale, AZ 85306
> edensw at t-bird.edu
> Voice:  (602) 978-7897
> Facsimile: (602) 978-7762
>
>

More information about the Web4lib mailing list