2

So I'm in the process of building my own web-application type project. However, I only want the website to be viewable through a web client of mine. I have set the web client's user agent setting to a custom name (MySecretClient) and am now attempting to only allow access from browsers with the user agent, MySecretClient. Everyone else gets redirected.

Is there a better way to go about doing this?

Mike Rockétt
  • 8,947
  • 4
  • 45
  • 81
JDev
  • 5,168
  • 6
  • 40
  • 61
  • 3
    Remember, user agent can be spoofed--it can be sniffed through proxy--like Fiddler4. – Adam Azad Feb 18 '16 at 17:23
  • 5
    This is known as *security through obscurity*, which "is the belief that a system of any sort can be secure so long as nobody outside of its implementation group is allowed to find out anything about its internal mechanisms." This is not good practice in general, as real security comes from locking the system properly using a good authentication mechanism. See [this answer](http://stackoverflow.com/a/534006/1626250) for reference. Also [read this](http://www.pearsonitcertification.com/articles/article.aspx?p=2218577&seqNum=7). – Mike Rockétt Feb 18 '16 at 17:27

2 Answers2

5

As with so many web technology questions, there is a strict, theoretical answer and a "good enough for what you probably want" answer: The strict answer is: You cant, it doesn't work that way. Since the client can send whatever user agent string it wants to, you have no way of knowing what client is actually behind any given request.

The "good enough" answer that will prevent the vast majority of users from seeing your site with the "wrong" user agent is documented here:

http://www.htaccesstools.com/articles/detect-and-redirect-iphone/

The relevant .htaccess block from the link, which redirects requests from iPhone user agents to an iPhone specific site is:

RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} iPhone
RewriteCond %{REQUEST_URI} !^/my-iPhone-site/ 
RewriteRule .* /my-iPhone-site/ [R]

Which you could modify in your case to redirect users with the wrong client:

RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} !^MySecretClient$
RewriteRule .* <URL of a tropical island paradise> [R]

There is one other answer to what might be your intention in doing this. If this is part of your application's security strategy, it is a bad idea! This is what's known as "security through obscurity" and is a well-established anti-pattern that should be avoided. Any but the most casual attacker of your software will quickly realize what's going on, figure out what client your application is meant to run on, and spoof it.

AmericanUmlaut
  • 2,817
  • 2
  • 17
  • 27
  • Thank you for your answers. `RewriteCond %{HTTP_USER_AGENT} !SecretUserAgent` seemed to work for `SecretUserAgent`. And then of course, the RewriteRule. – JDev Feb 19 '16 at 00:59
1
<?php

define('MY_USER_AGENT', 'Custom User Agent');
define('REDIRECT_LOCATION', 'http://www.google.com');

if ($_SERVER['HTTP_USER_AGENT'] !== MY_USER_AGENT) {
    header('Location: ' . REDIRECT_LOCATION);
    die();
}
FelipeBarrosCruz
  • 11
  • 2
  • 2
    The question does not specify that this is a PHP application and there is no PHP tag. I believe the request is specifically looking for an .htaccess or Apache configuration option, given the tags. – AmericanUmlaut Feb 18 '16 at 17:38
  • 1
    @AmericanUmlaut - For reference, I did remove the PHP tag as I believed it to be irrelevant to the question - there was no mention of PHP in the question itself. – Mike Rockétt Feb 18 '16 at 17:41