#1
  1. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2000
    Posts
    3
    Rep Power
    0
    Hello all,

    I'm working on a project that requires a custom authentication scheme to protect all the files in a directory. I have already written to auth program and it works quite well. My current problem is in restricting direct access to the directory that is being protected. I've been trying to use .htaccess and the RewriteEngine to check the referer to make sure that the user is coming from either my auth script or from a page already in the directory (meaning they'd already been auth'd ok). The .htaccess file is here:

    Options -Indexes
    AuthUserFile /dev/null
    AuthGroupFile /dev/null

    RewriteEngine on
    RewriteOptions inherit
    RewriteCond %{HTTP_REFERER} !^http://www.mydomain.com/protected/.* [NC]
    RewriteCond %{HTTP_REFERER} !^http://www.mydomain.com/index.html [NC]
    RewriteCond %{HTTP_REFERER} !^http://www.mydomain.com/secondaccess.html [NC]
    RewriteCond %{HTTP_REFERER} !^http://www.mydomain.com/cgi/pitch.pl [NC]
    RewriteCond %{HTTP_REFERER} ^$
    RewriteCond %{HTTP_REFERER} =""
    RewriteRule ^/.* http://www.mydomain.com/secondaccess.html [R,L]


    The redirect works great if someone enters simply http://www.mydomain.com/protected into their browser (should be an empty referer), but doesn't work if they enter a valid filename in the directory e.g. http://www.mydomain.com/protected/index.html. The page is served instead of them being redirected (referer should still be empty).

    Does anyone have any idea what I might be doing wrong or suggestions as to a better way to do it? I have total control over the server so I can do something in httpd.conf if I need to. I've read all the documentation on mod_rewrite that I can find online and am just plain stuck.

    Thanks for any help!!

    Marc
  2. #2
  3. No Profile Picture
    freebsd
    Guest
    Devshed Newbie (0 - 499 posts)
    >>what I might be doing wrong or suggestions as to a better way to do it?

    Why are you using "redirection approach" for authentication?

    Please check here -> http://www.apacheweek.com/features/userauth
  4. #3
  5. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2000
    Posts
    3
    Rep Power
    0
    User auth using usernames and passwords is not sufficient for my needs. I'm also needing to restrict access based on a number of other factors including the users IP address.

    My whole problems boils down to the fact that the RewriteCond's above don't seem to hit the blank referer check and redirect them.

    --
    Marc
  6. #4
  7. No Profile Picture
    freebsd
    Guest
    Devshed Newbie (0 - 499 posts)
    This is untested, just my little idea.

    #httpd.conf
    SetEnvIf Referer www.mydomain.com/protected/ okay
    SetEnvIf Referer www.mydomain.com/cgi/pitch.pl also_okay

    <Directory "/home/httpd/htdocs/protected">
    order deny,allow
    deny from all
    allow from env=okay env=also_okay
    </Directory>

    #.htaccess in /protected (so this will override the global ErrorDocument 403)
    ErrorDocument 403 http://www.mydomain.com/secondaccess.html

    or point your ErrorDocument to a script to determine whether the HTTP_REFERER is blank, then Redirect to index.html. Or if HTTP_REFERER is not blank, redirect to secondaccess.html.

    [This message has been edited by freebsd (edited August 23, 2000).]
  8. #5
  9. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2000
    Posts
    3
    Rep Power
    0
    Thanks =) I actually just this moment figured it out. It was *really* stupid, of course. I just needed to change my RewriteRule to be
    RewriteRule ^.* http://www.domain.com/secondaccess.html [R,L]

    (change from ^/.* to ^.*).
    --
    Marc

IMN logo majestic logo threadwatch logo seochat tools logo