httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Thompson <m...@thompsonmike.co.uk>
Subject Re[2]: [users@httpd] Help with .htaccess file
Date Thu, 05 Aug 2004 11:27:06 GMT
Hello Joshua,


On Wed, 4 Aug 2004, at 09:51:27 [GMT -0400] (which was 14:51 in my
TimeZone) you wrote:




> On Tue, 3 Aug 2004 04:48:44 +0100 (BST), mike@thompsonmike.co.uk
> <mike@thompsonmike.co.uk> wrote:
>> I have a certain directory on my webserver, only authenticated users are
>> allowed in. They are authenticated in the CMS. When logged in there they
>> geta link to take them to the forum.

>> This works great, apart from when the user makes a post (External from the
>> IPs listed in the .htaccess), and the system then goes off and trys to
>> load a page.

>> So I tried putting this in my .htaccess as well,
>> 
>> Code:
>> 
>> SetEnvIf Referer ^http://81\.174\.224\.69 access
>> setEnvIf Request_URI "/forum/" access2
>> Order deny,allow
>> Deny from all
>> Allow from 10.0.0.0/255.255.255.0 192.168.1.0/255.255.255.0 127.0.0.1
>> Allow from env=access
>> Allow from env=access2
>> 
>> And yeap, that does work. Only problem is that someone typing in the
>> direct and full URL to the forum or posting can now get it bypassing the
>> security.

> Your problem description is not very clear.  Exactly what
> characteristics do you expect apache to look at to determine if a user
> is allowed in?

> If I had to guess, it seems like you want the check applied by the CMS
> to also apply to the /forum/.  If that is true, then you need the CMS
> to control access to the forum.

> HTTP is, by default, stateless.  There is no concept of having "logged
> in" one place and therefore gaining access to another place.  The
> appropriate credentials and checks must be provided on each and every
> request.  (Many systems get around this by doing the checks once, then
> providing cookies that the browser must send every time to prove that
> they are logged in.  Then the system only needs to check the cookies.)

> Joshua.



I knew that, the CMS does indeed validate users, once validated tthey
get the link to click on. That works just fine, however I wanted to
stop mr Koe Bloggs from typing in a URL directly outside of the
systems and having access to the system.

-- 
Best regards,
 Michael

http://www.thompsonmike.co.uk/
PGP KeyID := 0xA9547E32
  

Clinton/Gore is to the presidency as Beavis & Butthead are to television. 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message