Directory Protection

Hello all,

I'm working on a project that requires a custom authentication scheme to protect all the files in a directory. I have already written to auth program and it works quite well. My current problem is in restricting direct access to the directory that is being protected. I've been trying to use .htaccess and the RewriteEngine to check the referer to make sure that the user is coming from either my auth script or from a page already in the directory (meaning they'd already been auth'd ok). The .htaccess file is here:

Options -Indexes
AuthUserFile /dev/null
AuthGroupFile /dev/null

RewriteEngine on
RewriteOptions inherit
RewriteCond %{HTTP_REFERER} !^http://www.mydomain.com/protected/.* [NC]
RewriteCond %{HTTP_REFERER} !^http://www.mydomain.com/index.html [NC]
RewriteCond %{HTTP_REFERER} !^http://www.mydomain.com/secondaccess.html [NC]
RewriteCond %{HTTP_REFERER} !^http://www.mydomain.com/cgi/pitch.pl [NC]
RewriteCond %{HTTP_REFERER} ^$
RewriteCond %{HTTP_REFERER} =""
RewriteRule ^/.* http://www.mydomain.com/secondaccess.html [R,L]


The redirect works great if someone enters simply http://www.mydomain.com/protected into their browser (should be an empty referer), but doesn't work if they enter a valid filename in the directory e.g. http://www.mydomain.com/protected/index.html. The page is served instead of them being redirected (referer should still be empty).

Does anyone have any idea what I might be doing wrong or suggestions as to a better way to do it? I have total control over the server so I can do something in httpd.conf if I need to. I've read all the documentation on mod_rewrite that I can find online and am just plain stuck.

Thanks for any help!!

Marc

>>what I might be doing wrong or suggestions as to a better way to do it?

Why are you using "redirection approach" for authentication?

Please check here -> http://www.apacheweek.com/features/userauth

User auth using usernames and passwords is not sufficient for my needs. I'm also needing to restrict access based on a number of other factors including the users IP address.

My whole problems boils down to the fact that the RewriteCond's above don't seem to hit the blank referer check and redirect them.

--
Marc

This is untested, just my little idea.

#httpd.conf
SetEnvIf Referer www.mydomain.com/protected/ okay
SetEnvIf Referer www.mydomain.com/cgi/pitch.pl also_okay

<Directory "/home/httpd/htdocs/protected">
order deny,allow
deny from all
allow from env=okay env=also_okay
</Directory>

#.htaccess in /protected (so this will override the global ErrorDocument 403)
ErrorDocument 403 http://www.mydomain.com/secondaccess.html

or point your ErrorDocument to a script to determine whether the HTTP_REFERER is blank, then Redirect to index.html. Or if HTTP_REFERER is not blank, redirect to secondaccess.html.

[This message has been edited by freebsd (edited August 23, 2000).]

Thanks =) I actually just this moment figured it out. It was *really* stupid, of course. I just needed to change my RewriteRule to be
RewriteRule ^.* http://www.domain.com/secondaccess.html [R,L]

(change from ^/.* to ^.*).
--
Marc