httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joshua Slive <jsl...@gmail.com>
Subject Re: [users@httpd] Help with .htaccess file
Date Wed, 04 Aug 2004 13:51:27 GMT
On Tue, 3 Aug 2004 04:48:44 +0100 (BST), mike@thompsonmike.co.uk
<mike@thompsonmike.co.uk> wrote:
> I have a certain directory on my webserver, only authenticated users are
> allowed in. They are authenticated in the CMS. When logged in there they
> geta link to take them to the forum.

> This works great, apart from when the user makes a post (External from the
> IPs listed in the .htaccess), and the system then goes off and trys to
> load a page.

> So I tried putting this in my .htaccess as well,
> 
> Code:
> 
> SetEnvIf Referer ^http://81\.174\.224\.69 access
> setEnvIf Request_URI "/forum/" access2
> Order deny,allow
> Deny from all
> Allow from 10.0.0.0/255.255.255.0 192.168.1.0/255.255.255.0 127.0.0.1
> Allow from env=access
> Allow from env=access2
> 
> And yeap, that does work. Only problem is that someone typing in the
> direct and full URL to the forum or posting can now get it bypassing the
> security.

Your problem description is not very clear.  Exactly what
characteristics do you expect apache to look at to determine if a user
is allowed in?

If I had to guess, it seems like you want the check applied by the CMS
to also apply to the /forum/.  If that is true, then you need the CMS
to control access to the forum.

HTTP is, by default, stateless.  There is no concept of having "logged
in" one place and therefore gaining access to another place.  The
appropriate credentials and checks must be provided on each and every
request.  (Many systems get around this by doing the checks once, then
providing cookies that the browser must send every time to prove that
they are logged in.  Then the system only needs to check the cookies.)

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message