Limit access with referrer/htaccess?

Nosferatum <Jo*********@gmail.comwrote:

I am in need of a solution on how to solve this problem:

I need to limit access to six different folders. My users are
validated in a system which check their prescence with a couple of
variables in a db and then forwards them if they exist. Based upoen
their status they are redirected to one of six folders.
Users belonging to group A shall get access to folder A, but not B, C
etc. It must be possible to limit access in this order by referrer,
but I really don't knwo how to do this. Perhaps in a combination with
a .htaccess file?
Right now it's not a big deal for for.example users from group C to
explore the folders belonging to group A,B,D etc. And that's my big
problem, since each folder should be accessible to ONLY one group.

Do _NOT_ use referer for this. If there's something that is easily forged
it's that. I'm not entirely clear what you mean by 'folders'. Do you mean
they can simply get to the contents? You say the users are validated, so
let's say a session is started, ad you;ve saved a variable like
$_SESSION['group'] = 'A'. Now check in folder 'A' wether they belong to
this group, and refuse access to them if this isn't the case. In a
..htaccess file this isn't possible. I'd force a single point of entry in
the folder, which checks this value, sends a forbidden header and exits if
they aren't validated or belong to the wrong group. If they are valid
visitors, let it continue and serve the requested files.
--
Rik Wasmus
Posted on Usenet, not any forum you might see this in.
Ask Smart Questions: http://tinyurl.com/anel

On 15 Mar, 08:27, Rik <luiheidsgoe...@hotmail.comwrote:

Nosferatum <John.Ola...@gmail.comwrote:

I am in need of a solution on how to solve this problem:

I need to limit access to six different folders. My users are
validated in a system which check their prescence with a couple of
variables in a db and then forwards them if they exist. Based upoen
their status they are redirected to one of six folders.
Users belonging to group A shall get access to folder A, but not B, C
etc. It must be possible to limit access in this order by referrer,
but I really don't knwo how to do this. Perhaps in a combination with
a .htaccess file?
Right now it's not a big deal for for.example users from group C to
explore the folders belonging to group A,B,D etc. And that's my big
problem, since each folder should be accessible to ONLY one group.

Do _NOT_ use referer for this. If there's something that is easily forged
it's that. I'm not entirely clear what you mean by 'folders'. Do you mean
they can simply get to the contents? You say the users are validated, so
let's say a session is started, ad you;ve saved a variable like
$_SESSION['group'] = 'A'. Now check in folder 'A' wether they belong to
this group, and refuse access to them if this isn't the case. In a
.htaccess file this isn't possible. I'd force a single point of entry in
the folder, which checks this value, sends a forbidden header and exits if
they aren't validated or belong to the wrong group. If they are valid
visitors, let it continue and serve the requested files.
--
Rik Wasmus
Posted on Usenet, not any forum you might see this in.
Ask Smart Questions:http://tinyurl.com/anel

But I thought that limiting one special url as referrer and deny
everybody else in .htaccess in the target folder was the most secure
way to solve this?
Like:

Options +FollowSymLinks
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://(www\.)?my-domain-here.com/the-
folder/the-only-allowed-page.php [NC]
RewriteRule (.*) http://www.my-domain-here.com/path/to/redirect/

Nosferatum <Jo*********@gmail.comwrote:

On 15 Mar, 08:27, Rik <luiheidsgoe...@hotmail.comwrote:

>Nosferatum <John.Ola...@gmail.comwrote:

I am in need of a solution on how to solve this problem:

I need to limit access to six different folders. My users are
validated in a system which check their prescence with a couple of
variables in a db and then forwards them if they exist. Based upoen
their status they are redirected to one of six folders.
Users belonging to group A shall get access to folder A, but not B,C
etc. It must be possible to limit access in this order by referrer,
but I really don't knwo how to do this. Perhaps in a combination with
a .htaccess file?
Right now it's not a big deal for for.example users from group C to
explore the folders belonging to group A,B,D etc. And that's my big
problem, since each folder should be accessible to ONLY one group.

Do _NOT_ use referer for this. If there's something that is easily
forged
it's that.

But I thought that limiting one special url as referrer and deny
everybody else in .htaccess in the target folder was the most secure
way to solve this?
Like:

Options +FollowSymLinks
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://(www\.)?my-domain-here.com/the-
folder/the-only-allowed-page.php [NC]
RewriteRule (.*) http://www.my-domain-here.com/path/to/redirect/

No, it isn't. I can still access that page directly without ever being on
'the-only-allowed-page.php'. The 'referer' is just a header browsers may
or may not send (I usually don't send one, and many firewalls block it),
with arbitrary data the current UA deems fit for it. Fun for statistics
(allthough there is something called referer-spam), totally unsuited for
security.

If you want this for security, you might as well ask a user directly:'Are
you a registered user (yes/no)?', and trust their answer without question.

To give you an example:
$handle = fsockopen('www.example.com',80);
$request = "GET /your/secured/folder/ HTTP/1.1\r\nHost:
www.example.com\r\nReferer:
http://www.example.com/i/just/claim/...r\nConnection:
close\r\n\r\n";
fwrite($handle,$request);
while (!feof($handle)) {
echo fgets($handle);
}
--
Rik Wasmus
Posted on Usenet, not any forum you might see this in.
Ask Smart Questions: http://tinyurl.com/anel

On 15 Mar, 09:33, Rik <luiheidsgoe...@hotmail.comwrote:

Nosferatum <John.Ola...@gmail.comwrote:

On 15 Mar, 08:27, Rik <luiheidsgoe...@hotmail.comwrote:

Nosferatum <John.Ola...@gmail.comwrote:
I am in need of a solution on how to solve this problem:

I need to limit access to six different folders. My users are
validated in a system which check their prescence with a couple of
variables in a db and then forwards them if they exist. Based upoen
their status they are redirected to one of six folders.
Users belonging to group A shall get access to folder A, but not B, C
etc. It must be possible to limit access in this order by referrer,
but I really don't knwo how to do this. Perhaps in a combination with
a .htaccess file?
Right now it's not a big deal for for.example users from group C to
explore the folders belonging to group A,B,D etc. And that's my big
problem, since each folder should be accessible to ONLY one group.

Do _NOT_ use referer for this. If there's something that is easily
forged
it's that.

But I thought that limiting one special url as referrer and deny
everybody else in .htaccess in the target folder was the most secure
way to solve this?
Like:

Options +FollowSymLinks
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://(www\.)?my-domain-here.com/the-
folder/the-only-allowed-page.php [NC]
RewriteRule (.*)http://www.my-domain-here.com/path/to/redirect/

No, it isn't. I can still access that page directly without ever being on
'the-only-allowed-page.php'. The 'referer' is just a header browsers may
or may not send (I usually don't send one, and many firewalls block it),
with arbitrary data the current UA deems fit for it. Fun for statistics
(allthough there is something called referer-spam), totally unsuited for
security.

If you want this for security, you might as well ask a user directly:'Are
you a registered user (yes/no)?', and trust their answer without question.

To give you an example:
$handle = fsockopen('www.example.com',80);
$request = "GET /your/secured/folder/ HTTP/1.1\r\nHost: www.example.com\r\nReferer: http://www.example.com/i/just/claim/...r\nConnection:
close\r\n\r\n";
fwrite($handle,$request);
while (!feof($handle)) {
echo fgets($handle);}

--
Rik Wasmus
Posted on Usenet, not any forum you might see this in.
Ask Smart Questions:http://tinyurl.com/anel- Skjul sitert tekst -

- Vis sitert tekst -

Oh, I get your point. Thanks for stopping me from doing something
really stupid... :-) (*blush*)
I have to learn how to use sessions.

By the way: Is it advicable to add a session unregister event upon
page leave, or timeout?

Nosferatum <Jo*********@gmail.comwrote:

Oh, I get your point. Thanks for stopping me from doing something
really stupid... :-) (*blush*)
I have to learn how to use sessions.

By the way: Is it advicable to add a session unregister event upon
page leave, or timeout?

Well, session_unregister() doesn't have to be used anymore.

If you're users can be bothered to click a logout button, by all means
destory the session immediately on that logout page. Most of your users
won't bother, so set the timeout on sessions to something that suits you
so they will be trashed by the garbage collector. Keep in mind that simply
having a started session doesn't mean it's valid, keep track of valid
sessions by either a $_SESSION variable or possibly a file/database/etc.

--
Rik Wasmus
Posted on Usenet, not any forum you might see this in.
Ask Smart Questions: http://tinyurl.com/anel