On Friday 10 October 2003 09:36 am, HaywireMac wrote: > On Fri, 10 Oct 2003 09:34:38 -0400 > > Bryan Phinney <[EMAIL PROTECTED]> uttered: > > > Considering the effects of compromised home computers running XP on > > > the'net, I would like to start a campaign to essentially "lock out" > > > IE from accessing websites. > > > > > > Of course, one would still be able to use Windows, but have to use > > > an alternate browser such as Mozilla. > > > > You can test for an explicit browser string but the code must be added > > to every virtual server run from Apache. You can't just add it to a > > configuration setting, it has to be in the page or application code. > > I haven't even got Virtual Servers to work yet, even after following the > multitude of examples on this and the Newb list, I'll be happy if I can > just get some momentum going on this. > > So what you are saying is the the Apache config is useless? On their > docs page they seem to say otherwise...
I do not know of any method of detecting the browser and altering the default page displayed based on that browser that does not entail creating code on the default display page and possibly subsequent pages of the site. I also do not know of any method of doing this that I would be unable to bypass in some manner. Figuring out what happens when you bypass the detection code is part of QA and I have yet to see any site that is capable of locking me out based on my browser. I have been working in software QA for about 8 years, the last 4-5 has been spent almost entirely on web-based applications. I would consider myself somewhat knowledgable in that area. YMMV. > > Also, if someone has a page under the actual index bookmarked, they > > can still bypass the detection string. I use that all the time to > > bypass detection and enforcement of IE only. > > I don't have many pages to edit, so adding it to each and every page > would be a simple matter of copy and paste. That depends on your pages. If you use a CGI method, each page that can be reached via URL must be CGI based. If you use a PHP method, the same holds true. If you mix html, dhtml, CGI, etc. it is not a simple cut and paste function. The fact is that if I can load a page without loading the specific redirect code that you created, I can bypass the detection. Also, if I use a proxy server that doesn't pass a browser id header, I can bypass the redirect. If you are trying to lock out a specific browser, it is easier to bypass than if you only accepted a particular one. Without a browser header, the default behavior is probably to display the normal page. With most detection mechanisms, the default is to not display unless the browser identifies itself as a certain type. Even that can be spoofed, although not trivially with IE. -- Bryan Phinney Software Test Engineer
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
