httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lars <>
Subject [users@httpd] Rewrite rule security question
Date Mon, 07 Jan 2008 06:54:53 GMT
Hello list!

I am working on a admin site and I'm using htaccess for access
restrictions. I have a script that generates the htaccess file and I
think it is pretty secure but I want to have yours opinions..

I use ip restrictions, and cookie restrictions. I use standard php
session for generating and setting session cookie. The .htaccess file
generated looks like this:

RewriteEngine on

Order deny,allow
deny from all
allow from

RewriteRule .* - [E=REMOTE_USER:user1,E=PHP_AUTH_USER:user2,C]
RewriteCond %{HTTP_COOKIE} !^.*PHPSESSID=aaaabbbbcccdddeeefff111222333.*$

RewriteRule .* - [E=REMOTE_USER:user2,E=PHP_AUTH_USER:user2,C]
RewriteCond %{HTTP_COOKIE} !^.*PHPSESSID=9999888777666555444332211aabb.*$

RewriteRule .*$ - [F]

ErrorDocument 403 /index.php?error403
ErrorDocument 404 /index.php?error404

Is this a secure way of doing this? Is there anything I can do
different or more secure? The REMOTE_USER and PHP_AUTH_USER variables
needs to be set for making some admin tools inside the .htaccess admin
dir work. Like trac..

In front thanks,

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message