authscript ignore/return URLs

[Wouter Hendriks]

In most "check auth" (webrule authscript) I eventually have to write something like

```

STRING url := GetRequestURL();

IF (url LIKE "*/.ap/*"

    OR url LIKE "*/.uc/*"

    OR url LIKE "*/.publisher/*"

    OR url LIKE "*/wh_services/*"

    OR url LIKE "*.wrd/auth/restoresession.shtml*")

  RETURN;

```

to prevent all kinds of redirect loops. This cannot be the best solution, can it? :-)

[Arnold Hendriks]

nope, as an access check like this could be skipped by simply appending ?/.ap/ to any URL protected by it

The best solution would probably be not to attempt to run authentication inside the URL you're trying to protect. Protect "/admin/" not "/", or run the authentication on a different hostname (ie that's how WebHare's access rules solve it - the authentication process runs on a different host). 

[Arnold Hendriks]

BTW: We have IsWHSafePublicEndpoint nowadays to find which URLs  should pass