Referring URL Authentication

[mattvick]

The situation is as follows:

I wish to protect the entire Website http://www.example.com from direct URL access. i.e. if someone enters http://www.example.com into their browser they get a message stating that they are not authorised to access the site.  The only way to access http://www.example.com should be to log into a second site http://www.intranet.com and follow a link from within to http://www.example.com.

 

The problem:

I initially thought I should use the predefined PHP variable $_SERVER['HTTP_REFERER'], but the PHP website explains that this "cannot really be trusted" <a href="http://uk2.php.net/manual/en/reserved.variables.php">see here</a>.

 

Next I thought about HTTP authentication.  If I password protect the the Website using .htaccess and .htpasswd as follows:

AuthName "Login to access the Website"
AuthType Basic
AuthUserFile /var/www/vhosts/example.com/httpdocs/.htpasswd
Require user username

 

Then my link within http://www.intranet.com could simply be:

<a href="http://username:[email protected]">Link to example.com</a>

 

However this doesn't seem secure.  The username and password are visible to anyone who views the source of the page with the link.  Also as these are not encrypted is it not possible for them to be intercepted?

 

I could of course write my own authentication code on http://www.example.com and pass a variable via a GET or POST from http://www.intranet.com, which would cause a login and a cookie to be set there.  But this is basically the same as above and still seems insecure!

 

Is there a better/standard way to do this kind of thing?

 

Any help will be most appreciated,

 

Matthew

 

[per1os]

You probably want to look into SOAP for an API.

 

--FrosT