steve miller wrote:
I am building a site for our school that handles signups for trips and
such, and we want it to be accessible only from within another site that
has a secure login. In other words, we don't want it accessible from
search engine links or direct urls. The other site (edline.com) is not
owned by us so I can't access user info, but we can place links on it.
I was thinking of looking for the correct http_referer coming in, but
I've been told some browsers and/or firewalls might block it from being
passed. Any thoughts on how else to confirm the link came in from the
right place?
You can't rely on it being passed to you, and you also can't rely on it
being correct; it's trivial to spoof.
There's not much in the way of secure methods to validate it that I can
think of that wouldn't require the co-operation of the other site.
With enough access to the other site to place server-side scripts on it,
you could probably come up with something that redirects the user to
your site, along with a "token" calculated by, say, the user's IP along
with a secret key known by both sites - your new site could then
validate that the token looks correct, and start a session indicating
that the user is valid.
____ The WDVL Discussion List from WDVL.COM ____
To Join wdvltalk, Send An Email To: mailto:[EMAIL PROTECTED] or
use the web interface http://e-newsletters.internet.com/discussionlists.html/
Send Your Posts To: wdvltalk@lists.wdvl.com
To change subscription settings, add a password or view the web interface:
http://intm-dl.sparklist.com/read/?forum=wdvltalk
________________ http://www.wdvl.com _______________________
You are currently subscribed to wdvltalk as: [EMAIL PROTECTED]
To unsubscribe send a blank email to [EMAIL PROTECTED]
To unsubscribe via postal mail, please contact us at:
Jupitermedia Corp.
Attn: Discussion List Management
475 Park Avenue South
New York, NY 10016
Please include the email address which you have been contacted with.