httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joshua Slive <jsl...@gmail.com>
Subject Re: [users@httpd] user authentication and redirect to directory
Date Tue, 15 Mar 2005 14:30:33 GMT
On Tue, 15 Mar 2005 15:09:23 +0200, Claudiu Sebe <csebe@fx.ro> wrote:
> Hello all,
> 
> Here is the story:
> 
> In a certain directory, users authenticate through mod_auth user/pass
> mecanism like:
>     ####
>     <Directory /var/www/localhost/protected>
>     Options +FollowSymLinks +Indexes
>     AuthName "Client Login"
>     AuthType Basic
>     AuthUserFile /var/www/passes/.htpass
>     Require valid-user
>     ####
> 
> The /protected directory looks like:
>     /protected
>         /user1
>         /user2
>     ...
> 
> After authentication I need to redirect the user to their directory based on
> the login name, so in the same <Directory...> directive, I put:
>     ####
>     RewriteEngine on
>     RewriteRule ^$ /protected/%{REMOTE_USER}/$1 [L,R]
>     ####
> 
> Till here works ok. But I'd like to avoid that users knowing the full path
> to other users' directory, being able to enter there.

> IMHO what I need can't be done only with mod rewrite. Can anyone show me
> wrong 8-) ?

I think there is something you aren't telling us, since your above
RewriteRule should create an infinite loop (it will hit again on the
request to /protected/%{REMOTE_USER}).  And in addition, the $1
doesn't match anything.

The way I would handle this (and there are probably others), is to
remove the "R" from your RewriteRule.  That way the users won't have
any choice (or knowledge) about the specific subdirectory that they
are entering.  It would look something like
RewriteRule (.*) /full/path/to/protected/%{REMOTE_USER}/$1 [L]

One way to avoid the infinite loop problem would be to put
/full/path/to/protected someplace outside the DocumentRoot.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message