BrowserMatch questions
am 11.05.2007 18:27:43 von geometris
Dear all,
I'm aware that the user agent string is not a reliable way to restrict
access to certain browsers. However, I would like use it to prevent
the access to the pages in some directory for user agents other than
MSIE 6.0. (I mean for users with poor computer knowledge).
The purpose is not security; just make that pages display only with
tested browsers.
On my PC, MSIE 6 announces it as :
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1).
and other browsers as :
Mozilla/5.0 (Windows ...
I tested this :
ServerName localhost
DocumentRoot "C:/Apache2/htdocs"
Order deny,allow
Deny from all
NameVirtualHost *:80
ServerName www.sometest.com
DocumentRoot "C:/Apache2/sometest/www"
allow from all
BrowserMatch ^Mozilla/4.0 msie6
deny from all
allow from env=msie6
This works: users with Opera or Nescape are not allowed to access the
docs in subfolder "onlymsie6", as long as they don't cheat with the
user agent string.
Despite this success, I have 4 questions:
Firstly, I observed that setting the msie6 environment variable to
"Mozilla/4.0 (compatible; MSIE 6.0"
does not work, because of the "(" parenthesis, Apache is unable to
compile the httpd.conf file (even when using double quotes).
Is there a way to escape the "(" character ?
Secondly, is there a simple way to redirect all non-accepted browsers
to a custom error page telling them why they don't have access?
Thirdly, does the "^" character mean that the user agent must begin
with the specified string?
Lastly, I wonder if there is a way to make the serversides browser
detection more powerful. For instance testing if the user agent
accepts forms or if it is JavaScript-enabled. I do such tests
clientside but it would be nice if I could check also serverside to
stop cheats.
Thanks for any help.
Re: BrowserMatch questions
am 11.05.2007 19:00:20 von shimmyshack
On 11 May, 17:27, geomet...@fastmail.fm wrote:
> Dear all,
>
> I'm aware that the user agent string is not a reliable way to restrict
> access to certain browsers. However, I would like use it to prevent
> the access to the pages in some directory for user agents other than
> MSIE 6.0. (I mean for users with poor computer knowledge).
> The purpose is not security; just make that pages display only with
> tested browsers.
>
> On my PC, MSIE 6 announces it as :
> Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1).
>
> and other browsers as :
> Mozilla/5.0 (Windows ...
>
> I tested this :
>
> ServerName localhost
> DocumentRoot "C:/Apache2/htdocs"
>
>
> Order deny,allow
> Deny from all
>
>
> NameVirtualHost *:80
>
> ServerNamewww.sometest.com
> DocumentRoot "C:/Apache2/sometest/www"
>
>
> allow from all
>
>
> BrowserMatch ^Mozilla/4.0 msie6
>
> deny from all
> allow from env=msie6
>
>
> This works: users with Opera or Nescape are not allowed to access the
> docs in subfolder "onlymsie6", as long as they don't cheat with the
> user agent string.
>
> Despite this success, I have 4 questions:
>
> Firstly, I observed that setting the msie6 environment variable to
> "Mozilla/4.0 (compatible; MSIE 6.0"
> does not work, because of the "(" parenthesis, Apache is unable to
> compile the httpd.conf file (even when using double quotes).
> Is there a way to escape the "(" character ?
>
> Secondly, is there a simple way to redirect all non-accepted browsers
> to a custom error page telling them why they don't have access?
>
> Thirdly, does the "^" character mean that the user agent must begin
> with the specified string?
>
> Lastly, I wonder if there is a way to make the serversides browser
> detection more powerful. For instance testing if the user agent
> accepts forms or if it is JavaScript-enabled. I do such tests
> clientside but it would be nice if I could check also serverside to
> stop cheats.
>
> Thanks for any help.
you cannot stop cheats this way!!
1. I'm not sure about that one, have you tried \
2. If you use the rewrite, you don't need the
Order Allow,Deny
allow from msie
ReWriteCond %{HTTP_USER_AGENT} !^Mozilla/4.0
ReWriteRule .* /banned.html
3. yes ^ means starts with, unless it's with [^a-z] when it means not
- as in algebra
4. no, you are still matching a string, and assuming properties of
the browser based on the string - you must feature detect where the
features are tested. Unfortunately even then people can cheat - should
they care to!