homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Code, Content, and Presentation / Apache Web Server
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL & phranque

Apache Web Server Forum

Blocking old versions of MSIE

 7:26 pm on Jan 14, 2013 (gmt 0)

I have had an .htaccess rule for a couple of years now, that blocks old versions of MSIE and thereby blocks a number of unwanted visitors. But now that MSIE v10 is around, it seems to be caught by this rule - I'd be grateful if anyone could advise me how it should be constructed to avoid blocking MSIE v10. At the moment I have just hashed it out.

RewriteCond %{HTTP_USER_AGENT} ^MSIE.[1-6]\.* [OR]
RewriteCond %{HTTP_USER_AGENT} .*MSIE.[1-6]\.* [OR]

Many thanks.



 7:34 pm on Jan 14, 2013 (gmt 0)


matches literal MSIE


followed by a SINGLE DIGIT 1 to 6

followed by zero or more PERIODS

followed by ANYTHING.

It matches


and many other things it should not.

. means ANY character

\. means a literal period

* means zero or more times.

\.* means something different to .*

Never use .* at the beginning or in the middle of a RegEx pattern.

\.* is always an error.


 8:33 pm on Jan 14, 2013 (gmt 0)

Thank you - that seems to negate most of that string except for the [1-6] section, but I can't seem to work out a format that doesn't block a useragent with MSIE 10.0 in it. How can I confine the block to very old versions 1-6 only please?

Many thanks.


 8:48 pm on Jan 14, 2013 (gmt 0)

What is the \.* bit MEANT to match?

It actually matches <nothing> or . or .. or ...

When it matches NOTHING, then any digits that follow after will match.

1\.*0 matches 1.0 and 1....0 and 10

1\.* matches the same stuff with ANYTHING in place of the 0.

The * is the problem. Delete it.

Additionally, the period before [1-6] is another problem as it matches ANYTHING once.


 9:10 pm on Jan 14, 2013 (gmt 0)

That's done the trick - thank you. I've tested with a MSIE 10 user agent and it isn't blocked.


 9:21 pm on Jan 14, 2013 (gmt 0)

Those patterns still have a LOT of other issues.

Unless you work out exactly what should and should not match, and adjust the patterns to suit, you'll be back here again and again as each new thing goes wrong.


 9:33 pm on Jan 14, 2013 (gmt 0)

Whoops! Forgot to refresh tab before posting. Redundant post follows:

Didn't wilderness have a post just a few days ago asking the same question?

The final asterisk effectively destroys the rule because it makes the period optional in exactly the place where you need it to be mandatory:
MSIE\ [1-6]\.
and that's all.

The leading anchor kills the rule in a different way, because "MSIE" never comes at the very beginning of a UA string. Well, except for the occasional robot.


 10:49 pm on Jan 14, 2013 (gmt 0)

Didn't wilderness have a post just a few days ago asking the same question?

Except I've no interest in allowing any versions of IE prior to 6.0, or after 10.0 (the current version.

To do so would open the door to malformed UA's.

Why allow anything past 10.0 if MS doesn't even have a newer version on the board?


 2:14 am on Jan 15, 2013 (gmt 0)

Hm, right, we're not talking Chrome or FF here ;)

:: detour to raw logs ::

Lord! What a boring UA. Every last one ends in .0; (dot, zero, semicolon) leading to single space* and more stuff.

I limited my search to requests that got through with a 200. So if there are any other numbering formats, they're strictly in Bad-Robot-Land and need not concern us. There were definitely non-zero versions of 5-- the last Mac version was 5.23, but I only use it to test my own lockouts ;) If you ever meet a 4.01 it will be part of a costume worn by unfashionable Russian robots.

So that's

MSIE\ ([6-9]|10)\.0;

My own [1-4]\. was for unconditional denial, so the fewer details the better. It's only with 5 and 6 that I make judgment calls, and that's getting into YMMV territory. I can probably dump the 5; I think even Iqaluit has finally upgraded the last of theirs to 7 or 8.

* Except the plainclothes MSNbot, which likes double spaces.


 3:32 am on Jan 15, 2013 (gmt 0)

MSIE\ ([6-9]|10)\.0;

not quite and this is only the MSIE portion of multiple lines that checks browsers.

MSIE\ ([6-9]|10)\.[0-9];

I suppose the version portion should be modifed even further to only include the current version (s) of 10.


 10:04 pm on Jan 15, 2013 (gmt 0)

If they go to multiple versions I hope they warn us. That was my surprising discovery in the previous post: In MSIE 6 and up there are no version numbers. It's all point zero. At least in the UA string, which may be entirely different from what you see in your "About MSIE" box.

Happily we're now in 10 so it's an easy toggle: either [7-9]\.0; or 10\.whatever-it-turns-out-to-be. I doubt you'll ever get those strings of multiple decimal-delimited sets from browsers that think their UA string is a CIDR ;)

Chrome/23.0.1271.97 Safari/537.11
Chrome/12.0.742 Safari/534.51

I grabbed the oldest and newest available raw log files. So Chrome has not only jumped forward some 10-to-15 versions, they've added a digit in the UA. Safari itself appears to use 3 sets of numbers when it appears in its own right, 2 when it's part of the Chrome UA string.

Global Options:
 top home search open messages active posts  

Home / Forums Index / Code, Content, and Presentation / Apache Web Server
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved