[Web4lib] Referrer URL authentication
Thomas Dowling
tdowling at ohiolink.edu
Mon Dec 18 09:41:54 EST 2006
On 12/17/2006 11:36 PM, Aslin, Verna wrote:
> My library service provides access to database vendors' sites by means
> of referrer URL checking their end. Now we'd like to use referrer URL
> authentication ourselves to give students who have already authenticated
> to a related site, access to our library pages. I've been hunting for a
> freeware script to use on our site that will allow us to specify whether
> users can get straight in if they come from a certain site, or get
> prompted with a login page if they don't, but no luck. Does anyone know
> of one that is available? I'm not up to original scripting but that will
> be the next step if there isn't a freebie we could adapt.
Understand first that referer security is not secure. It will represent
little more than a nuisance to someone who seriously wants to get in,
and anyone who knows a valid referer to send can easily find tools to
fake that value in their browser headers.
...but since that probably won't deter you, I recommend the Apache
mod_auth_cookie module. You'll need to set up Basic Authentication
password protection for the resources you want to protect. Then set up
a simple CGI script that sets a cookie if you like someone's referer;
mod_auth_cookie then uses that cookie value as the Basic Auth credentials.
See <http://raburton.lunarpages.com/apache/mod_auth_cookie/>.
--
Thomas Dowling
tdowling at ohiolink.edu
More information about the Web4lib
mailing list