|
|||||||||
|
|||||||||
| |||||||||
|
|||||||||
|
|||||||||
| |||||||||
|
|
|
| |||||||||
 |
|
|
«
Previous Thread
|
Next Thread
»
|
Thread Tools | Search this Thread | Rate Thread | Display Modes |
Dev Shed Forums Sponsor:
|
|
Get inside! Sample the range of functionality easily built with JMSL Library for Time Series Data Analysis, Heat Maps, Portfolio Optimization, Monte Carlo Simulation, Stock Price Charting and more. Download Now! |
|
#1
August 21st, 2000, 09:18 PM
|
|||
|
|||
|
Hello all,
I'm working on a project that requires a custom authentication scheme to protect all the files in a directory. I have already written to auth program and it works quite well. My current problem is in restricting direct access to the directory that is being protected. I've been trying to use .htaccess and the RewriteEngine to check the referer to make sure that the user is coming from either my auth script or from a page already in the directory (meaning they'd already been auth'd ok). The .htaccess file is here: Options -Indexes AuthUserFile /dev/null AuthGroupFile /dev/null RewriteEngine on RewriteOptions inherit RewriteCond %{HTTP_REFERER} !^http://www.mydomain.com/protected/.* [NC] RewriteCond %{HTTP_REFERER} !^http://www.mydomain.com/index.html [NC] RewriteCond %{HTTP_REFERER} !^http://www.mydomain.com/secondaccess.html [NC] RewriteCond %{HTTP_REFERER} !^http://www.mydomain.com/cgi/pitch.pl [NC] RewriteCond %{HTTP_REFERER} ^$ RewriteCond %{HTTP_REFERER} ="" RewriteRule ^/.* http://www.mydomain.com/secondaccess.html [R,L] The redirect works great if someone enters simply http://www.mydomain.com/protected into their browser (should be an empty referer), but doesn't work if they enter a valid filename in the directory e.g. http://www.mydomain.com/protected/index.html. The page is served instead of them being redirected (referer should still be empty). Does anyone have any idea what I might be doing wrong or suggestions as to a better way to do it? I have total control over the server so I can do something in httpd.conf if I need to. I've read all the documentation on mod_rewrite that I can find online and am just plain stuck. Thanks for any help!! Marc
|
|
#2
August 23rd, 2000, 10:07 AM
|
|||
|
|||
|
>>what I might be doing wrong or suggestions as to a better way to do it?
Why are you using "redirection approach" for authentication? Please check here -> http://www.apacheweek.com/features/userauth
|
|
#3
August 23rd, 2000, 10:19 AM
|
|||
|
|||
|
User auth using usernames and passwords is not sufficient for my needs. I'm also needing to restrict access based on a number of other factors including the users IP address.
My whole problems boils down to the fact that the RewriteCond's above don't seem to hit the blank referer check and redirect them. -- Marc
|
|
#4
August 23rd, 2000, 10:49 AM
|
|||
|
|||
|
This is untested, just my little idea.
#httpd.conf SetEnvIf Referer www.mydomain.com/protected/ okay SetEnvIf Referer www.mydomain.com/cgi/pitch.pl also_okay <Directory "/home/httpd/htdocs/protected"> order deny,allow deny from all allow from env=okay env=also_okay </Directory> #.htaccess in /protected (so this will override the global ErrorDocument 403) ErrorDocument 403 http://www.mydomain.com/secondaccess.html or point your ErrorDocument to a script to determine whether the HTTP_REFERER is blank, then Redirect to index.html. Or if HTTP_REFERER is not blank, redirect to secondaccess.html. [This message has been edited by freebsd (edited August 23, 2000).]
|
|
#5
August 23rd, 2000, 11:00 AM
|
|||
|
|||
|
Thanks =) I actually just this moment figured it out. It was *really* stupid, of course. I just needed to change my RewriteRule to be
RewriteRule ^.* http://www.domain.com/secondaccess.html [R,L] (change from ^/.* to ^.*). -- Marc
|
|
| Viewing: Dev Shed Forums > System Administration > Apache Development > Directory Protection |
| Thread Tools | Search this Thread |
| Display Modes | Rate This Thread |
|
|
 |
|
|
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
Linear Mode
