httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Thompson <>
Subject Re[2]: [users@httpd] Help with .htaccess file
Date Thu, 05 Aug 2004 11:27:06 GMT
Hello Joshua,

On Wed, 4 Aug 2004, at 09:51:27 [GMT -0400] (which was 14:51 in my
TimeZone) you wrote:

> On Tue, 3 Aug 2004 04:48:44 +0100 (BST),
> <> wrote:
>> I have a certain directory on my webserver, only authenticated users are
>> allowed in. They are authenticated in the CMS. When logged in there they
>> geta link to take them to the forum.

>> This works great, apart from when the user makes a post (External from the
>> IPs listed in the .htaccess), and the system then goes off and trys to
>> load a page.

>> So I tried putting this in my .htaccess as well,
>> Code:
>> SetEnvIf Referer ^http://81\.174\.224\.69 access
>> setEnvIf Request_URI "/forum/" access2
>> Order deny,allow
>> Deny from all
>> Allow from
>> Allow from env=access
>> Allow from env=access2
>> And yeap, that does work. Only problem is that someone typing in the
>> direct and full URL to the forum or posting can now get it bypassing the
>> security.

> Your problem description is not very clear.  Exactly what
> characteristics do you expect apache to look at to determine if a user
> is allowed in?

> If I had to guess, it seems like you want the check applied by the CMS
> to also apply to the /forum/.  If that is true, then you need the CMS
> to control access to the forum.

> HTTP is, by default, stateless.  There is no concept of having "logged
> in" one place and therefore gaining access to another place.  The
> appropriate credentials and checks must be provided on each and every
> request.  (Many systems get around this by doing the checks once, then
> providing cookies that the browser must send every time to prove that
> they are logged in.  Then the system only needs to check the cookies.)

> Joshua.

I knew that, the CMS does indeed validate users, once validated tthey
get the link to click on. That works just fine, however I wanted to
stop mr Koe Bloggs from typing in a URL directly outside of the
systems and having access to the system.

Best regards,
PGP KeyID := 0xA9547E32

Clinton/Gore is to the presidency as Beavis & Butthead are to television. 

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message