You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Peter J Milanese <PM...@nypl.org> on 2005/10/05 10:38:48 UTC

Re: [users@httpd] security

There are a number of ways to handle this. If your site is a mix of auth/anon, you probably want to put it in the php. Just do an isset in the php. Documentation on php.net should be helpful. 

-----------------
Sent from my NYPL BlackBerry Handheld.

----- Original Message -----
From:  [baynaa@mobinet.mn]
Sent: 10/05/2005 04:33 AM
To: <us...@httpd.apache.org>
Subject: [users@httpd] security

Hi,

In our web, users should login to access certain contents. But today we've
just realized that, one can acces those contents without loging in. In other
words, just typing http://xxx.xx/graph_view.php?action=tree
<http://xxx.xx/graph_view.php?action=tree&tree_id=22> &tree_id=22 brings the
graphs. We are using free software, may be that's why it is not so secure.
Has anyone suggest me how to prevent these kind of things. How can I
configure apache, so that it won't bring the page if it has REMOTE_USER env
variable not set?  Or if it has nothing to do with Apache?

BR, Baynaa.

RE: [users@httpd] security

Posted by ba...@mobinet.mn.

Can you give me a little bit more info on this issue? One of the number of
the ways?

 

 

  _____  

From: Peter J Milanese [mailto:PMilanese@nypl.org] 
Sent: Wednesday, October 05, 2005 4:39 PM
To: users
Subject: Re: [users@httpd] security

 

There are a number of ways to handle this. If your site is a mix of
auth/anon, you probably want to put it in the php. Just do an isset in the
php. Documentation on php.net should be helpful. 

-----------------
Sent from my NYPL BlackBerry Handheld.

  _____  

  ----- Original Message -----
  From: [baynaa@mobinet.mn]
  Sent: 10/05/2005 04:33 AM
  To: <us...@httpd.apache.org>
  Subject: [users@httpd] security

 

Hi,

In our web, users should login to access certain contents. But today we've
just realized that, one can acces those contents without loging in. In other
words, just typing http://xxx.xx/graph_view.php?action=tree
<http://xxx.xx/graph_view.php?action=tree&tree_id=22> &tree_id=22 brings the
graphs. We are using free software, may be that's why it is not so secure.
Has anyone suggest me how to prevent these kind of things. How can I
configure apache, so that it won't bring the page if it has REMOTE_USER env
variable not set?  Or if it has nothing to do with Apache?

BR, Baynaa.