BrowserMatch questions

11/05/2007, 17h27

Dear all,

I'm aware that the user agent string is not a reliable way to restrict
access to certain browsers. However, I would like use it to prevent
the access to the pages in some directory for user agents other than
MSIE 6.0. (I mean for users with poor computer knowledge).
The purpose is not security; just make that pages display only with
tested browsers.

On my PC, MSIE 6 announces it as :
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1).

and other browsers as :
Mozilla/5.0 (Windows ...

I tested this :

ServerName localhost
DocumentRoot "C:/Apache2/htdocs"

<Directory />
Order deny,allow
Deny from all
</Directory>

NameVirtualHost *:80
<VirtualHost *:80>
ServerName www.sometest.com
DocumentRoot "C:/Apache2/sometest/www"

<Directory C:/Apache2/sometest/www>
allow from all
</Directory>

BrowserMatch ^Mozilla/4.0 msie6
<Directory C:/Apache2/sometest/www/onlymsie6>
deny from all
allow from env=msie6
</Directory>

This works: users with Opera or Nescape are not allowed to access the
docs in subfolder "onlymsie6", as long as they don't cheat with the
user agent string.

Despite this success, I have 4 questions:

Firstly, I observed that setting the msie6 environment variable to
"Mozilla/4.0 (compatible; MSIE 6.0"
does not work, because of the "(" parenthesis, Apache is unable to
compile the httpd.conf file (even when using double quotes).
Is there a way to escape the "(" character ?

Secondly, is there a simple way to redirect all non-accepted browsers
to a custom error page telling them why they don't have access?

Thirdly, does the "^" character mean that the user agent must begin
with the specified string?

Lastly, I wonder if there is a way to make the serversides browser
detection more powerful. For instance testing if the user agent
accepts forms or if it is JavaScript-enabled. I do such tests
clientside but it would be nice if I could check also serverside to
stop cheats.

Thanks for any .

11/05/2007, 18h00

On 11 May, 17:27, geomet...@fastmail.fm wrote:
> Dear all,
>
> I'm aware that the user agent string is not a reliable way to restrict
> access to certain browsers. However, I would like use it to prevent
> the access to the pages in some directory for user agents other than
> MSIE 6.0. (I mean for users with poor computer knowledge).
> The purpose is not security; just make that pages display only with
> tested browsers.
>
> On my PC, MSIE 6 announces it as :
> Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1).
>
> and other browsers as :
> Mozilla/5.0 (Windows ...
>
> I tested this :
>
> ServerName localhost
> DocumentRoot "C:/Apache2/htdocs"
>
> <Directory />
> Order deny,allow
> Deny from all
> </Directory>
>
> NameVirtualHost *:80
> <VirtualHost *:80>
> ServerNamewww.sometest.com
> DocumentRoot "C:/Apache2/sometest/www"
>
> <Directory C:/Apache2/sometest/www>
> allow from all
> </Directory>
>
> BrowserMatch ^Mozilla/4.0 msie6
> <Directory C:/Apache2/sometest/www/onlymsie6>
> deny from all
> allow from env=msie6
> </Directory>
>
> This works: users with Opera or Nescape are not allowed to access the
> docs in subfolder "onlymsie6", as long as they don't cheat with the
> user agent string.
>
> Despite this success, I have 4 questions:
>
> Firstly, I observed that setting the msie6 environment variable to
> "Mozilla/4.0 (compatible; MSIE 6.0"
> does not work, because of the "(" parenthesis, Apache is unable to
> compile the httpd.conf file (even when using double quotes).
> Is there a way to escape the "(" character ?
>
> Secondly, is there a simple way to redirect all non-accepted browsers
> to a custom error page telling them why they don't have access?
>
> Thirdly, does the "^" character mean that the user agent must begin
> with the specified string?
>
> Lastly, I wonder if there is a way to make the serversides browser
> detection more powerful. For instance testing if the user agent
> accepts forms or if it is JavaScript-enabled. I do such tests
> clientside but it would be nice if I could check also serverside to
> stop cheats.
>
> Thanks for any .

you cannot stop cheats this way!!
1. I'm not sure about that one, have you tried \
2. If you use the rewrite, you don't need the
Order Allow,Deny
allow from msie

ReWriteCond %{HTTP_USER_AGENT} !^Mozilla/4.0
ReWriteRule .* /banned.html
3. yes ^ means starts with, unless it's with [^a-z] when it means not
- as in algebra
4. no, you are still matching a string, and assuming properties of
the browser based on the string - you must feature detect where the
features are tested. Unfortunately even then people can cheat - should
they care to!

11/05/2007, 17h27	#1
geometris@fastmail.fm Messages: n/a Hébergeur:	BrowserMatch questions Dear all, I'm aware that the user agent string is not a reliable way to restrict access to certain browsers. However, I would like use it to prevent the access to the pages in some directory for user agents other than MSIE 6.0. (I mean for users with poor computer knowledge). The purpose is not security; just make that pages display only with tested browsers. On my PC, MSIE 6 announces it as : Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1). and other browsers as : Mozilla/5.0 (Windows ... I tested this : ServerName localhost DocumentRoot "C:/Apache2/htdocs" <Directory /> Order deny,allow Deny from all </Directory> NameVirtualHost :80 <VirtualHost :80> ServerName www.sometest.com DocumentRoot "C:/Apache2/sometest/www" <Directory C:/Apache2/sometest/www> allow from all </Directory> BrowserMatch ^Mozilla/4.0 msie6 <Directory C:/Apache2/sometest/www/onlymsie6> deny from all allow from env=msie6 </Directory> This works: users with Opera or Nescape are not allowed to access the docs in subfolder "onlymsie6", as long as they don't cheat with the user agent string. Despite this success, I have 4 questions: Firstly, I observed that setting the msie6 environment variable to "Mozilla/4.0 (compatible; MSIE 6.0" does not work, because of the "(" parenthesis, Apache is unable to compile the httpd.conf file (even when using double quotes). Is there a way to escape the "(" character ? Secondly, is there a simple way to redirect all non-accepted browsers to a custom error page telling them why they don't have access? Thirdly, does the "^" character mean that the user agent must begin with the specified string? Lastly, I wonder if there is a way to make the serversides browser detection more powerful. For instance testing if the user agent accepts forms or if it is JavaScript-enabled. I do such tests clientside but it would be nice if I could check also serverside to stop cheats. Thanks for any .

11/05/2007, 18h00	#2
shimmyshack Messages: n/a Hébergeur:	Re: BrowserMatch questions On 11 May, 17:27, geomet...@fastmail.fm wrote: > Dear all, > > I'm aware that the user agent string is not a reliable way to restrict > access to certain browsers. However, I would like use it to prevent > the access to the pages in some directory for user agents other than > MSIE 6.0. (I mean for users with poor computer knowledge). > The purpose is not security; just make that pages display only with > tested browsers. > > On my PC, MSIE 6 announces it as : > Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1). > > and other browsers as : > Mozilla/5.0 (Windows ... > > I tested this : > > ServerName localhost > DocumentRoot "C:/Apache2/htdocs" > > <Directory /> > Order deny,allow > Deny from all > </Directory> > > NameVirtualHost :80 > <VirtualHost :80> > ServerNamewww.sometest.com > DocumentRoot "C:/Apache2/sometest/www" > > <Directory C:/Apache2/sometest/www> > allow from all > </Directory> > > BrowserMatch ^Mozilla/4.0 msie6 > <Directory C:/Apache2/sometest/www/onlymsie6> > deny from all > allow from env=msie6 > </Directory> > > This works: users with Opera or Nescape are not allowed to access the > docs in subfolder "onlymsie6", as long as they don't cheat with the > user agent string. > > Despite this success, I have 4 questions: > > Firstly, I observed that setting the msie6 environment variable to > "Mozilla/4.0 (compatible; MSIE 6.0" > does not work, because of the "(" parenthesis, Apache is unable to > compile the httpd.conf file (even when using double quotes). > Is there a way to escape the "(" character ? > > Secondly, is there a simple way to redirect all non-accepted browsers > to a custom error page telling them why they don't have access? > > Thirdly, does the "^" character mean that the user agent must begin > with the specified string? > > Lastly, I wonder if there is a way to make the serversides browser > detection more powerful. For instance testing if the user agent > accepts forms or if it is JavaScript-enabled. I do such tests > clientside but it would be nice if I could check also serverside to > stop cheats. > > Thanks for any . you cannot stop cheats this way!! 1. I'm not sure about that one, have you tried \ 2. If you use the rewrite, you don't need the Order Allow,Deny allow from msie ReWriteCond %{HTTP_USER_AGENT} !^Mozilla/4.0 ReWriteRule .* /banned.html 3. yes ^ means starts with, unless it's with [^a-z] when it means not - as in algebra 4. no, you are still matching a string, and assuming properties of the browser based on the string - you must feature detect where the features are tested. Unfortunately even then people can cheat - should they care to!

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email