I am in need of a solution on how to solve this problem:
I need to limit access to six different folders. My users are
validated in a system which check their prescence with a couple of
variables in a db and then forwards them if they exist. Based upoen
their status they are redirected to one of six folders.
Users belonging to group A shall get access to folder A, but not B, C
etc. It must be possible to limit access in this order by referrer,
but I really don't knwo how to do this. Perhaps in a combination with
a .htaccess file?
Right now it's not a big deal for for.example users from group C to
explore the folders belonging to group A,B,D etc. And that's my big
problem, since each folder should be accessible to ONLY one group.
Anyone with any idea? Code? 5 10164
Nosferatum <Jo*********@gmail.comwrote:
I am in need of a solution on how to solve this problem:
I need to limit access to six different folders. My users are
validated in a system which check their prescence with a couple of
variables in a db and then forwards them if they exist. Based upoen
their status they are redirected to one of six folders.
Users belonging to group A shall get access to folder A, but not B, C
etc. It must be possible to limit access in this order by referrer,
but I really don't knwo how to do this. Perhaps in a combination with
a .htaccess file?
Right now it's not a big deal for for.example users from group C to
explore the folders belonging to group A,B,D etc. And that's my big
problem, since each folder should be accessible to ONLY one group.
Do _NOT_ use referer for this. If there's something that is easily forged
it's that. I'm not entirely clear what you mean by 'folders'. Do you mean
they can simply get to the contents? You say the users are validated, so
let's say a session is started, ad you;ve saved a variable like
$_SESSION['group'] = 'A'. Now check in folder 'A' wether they belong to
this group, and refuse access to them if this isn't the case. In a
..htaccess file this isn't possible. I'd force a single point of entry in
the folder, which checks this value, sends a forbidden header and exits if
they aren't validated or belong to the wrong group. If they are valid
visitors, let it continue and serve the requested files.
--
Rik Wasmus
Posted on Usenet, not any forum you might see this in.
Ask Smart Questions: http://tinyurl.com/anel
On 15 Mar, 08:27, Rik <luiheidsgoe...@hotmail.comwrote:
Nosferatum <John.Ola...@gmail.comwrote:
I am in need of a solution on how to solve this problem:
I need to limit access to six different folders. My users are
validated in a system which check their prescence with a couple of
variables in a db and then forwards them if they exist. Based upoen
their status they are redirected to one of six folders.
Users belonging to group A shall get access to folder A, but not B, C
etc. It must be possible to limit access in this order by referrer,
but I really don't knwo how to do this. Perhaps in a combination with
a .htaccess file?
Right now it's not a big deal for for.example users from group C to
explore the folders belonging to group A,B,D etc. And that's my big
problem, since each folder should be accessible to ONLY one group.
Do _NOT_ use referer for this. If there's something that is easily forged
it's that. I'm not entirely clear what you mean by 'folders'. Do you mean
they can simply get to the contents? You say the users are validated, so
let's say a session is started, ad you;ve saved a variable like
$_SESSION['group'] = 'A'. Now check in folder 'A' wether they belong to
this group, and refuse access to them if this isn't the case. In a
.htaccess file this isn't possible. I'd force a single point of entry in
the folder, which checks this value, sends a forbidden header and exits if
they aren't validated or belong to the wrong group. If they are valid
visitors, let it continue and serve the requested files.
--
Rik Wasmus
Posted on Usenet, not any forum you might see this in.
Ask Smart Questions:http://tinyurl.com/anel
But I thought that limiting one special url as referrer and deny
everybody else in .htaccess in the target folder was the most secure
way to solve this?
Like:
Options +FollowSymLinks
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^ http://(www\.)?my-domain-here.com/the-
folder/the-only-allowed-page.php [NC]
RewriteRule (.*) http://www.my-domain-here.com/path/to/redirect/
Nosferatum <Jo*********@gmail.comwrote:
On 15 Mar, 08:27, Rik <luiheidsgoe...@hotmail.comwrote:
>Nosferatum <John.Ola...@gmail.comwrote:
I am in need of a solution on how to solve this problem:
I need to limit access to six different folders. My users are
validated in a system which check their prescence with a couple of
variables in a db and then forwards them if they exist. Based upoen
their status they are redirected to one of six folders.
Users belonging to group A shall get access to folder A, but not B,C
etc. It must be possible to limit access in this order by referrer,
but I really don't knwo how to do this. Perhaps in a combination with
a .htaccess file?
Right now it's not a big deal for for.example users from group C to
explore the folders belonging to group A,B,D etc. And that's my big
problem, since each folder should be accessible to ONLY one group.
Do _NOT_ use referer for this. If there's something that is easily forged it's that.
But I thought that limiting one special url as referrer and deny
everybody else in .htaccess in the target folder was the most secure
way to solve this?
Like:
Options +FollowSymLinks
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://(www\.)?my-domain-here.com/the-
folder/the-only-allowed-page.php [NC]
RewriteRule (.*) http://www.my-domain-here.com/path/to/redirect/
No, it isn't. I can still access that page directly without ever being on
'the-only-allowed-page.php'. The 'referer' is just a header browsers may
or may not send (I usually don't send one, and many firewalls block it),
with arbitrary data the current UA deems fit for it. Fun for statistics
(allthough there is something called referer-spam), totally unsuited for
security.
If you want this for security, you might as well ask a user directly:'Are
you a registered user (yes/no)?', and trust their answer without question.
To give you an example:
$handle = fsockopen('www.example.com',80);
$request = "GET /your/secured/folder/ HTTP/1.1\r\nHost: www.example.com\r\nReferer: http://www.example.com/i/just/claim/...r\nConnection:
close\r\n\r\n";
fwrite($handle,$request);
while (!feof($handle)) {
echo fgets($handle);
}
--
Rik Wasmus
Posted on Usenet, not any forum you might see this in.
Ask Smart Questions: http://tinyurl.com/anel
On 15 Mar, 09:33, Rik <luiheidsgoe...@hotmail.comwrote:
Nosferatum <John.Ola...@gmail.comwrote:
On 15 Mar, 08:27, Rik <luiheidsgoe...@hotmail.comwrote:
Nosferatum <John.Ola...@gmail.comwrote:
I am in need of a solution on how to solve this problem:
I need to limit access to six different folders. My users are
validated in a system which check their prescence with a couple of
variables in a db and then forwards them if they exist. Based upoen
their status they are redirected to one of six folders.
Users belonging to group A shall get access to folder A, but not B, C
etc. It must be possible to limit access in this order by referrer,
but I really don't knwo how to do this. Perhaps in a combination with
a .htaccess file?
Right now it's not a big deal for for.example users from group C to
explore the folders belonging to group A,B,D etc. And that's my big
problem, since each folder should be accessible to ONLY one group.
Do _NOT_ use referer for this. If there's something that is easily
forged
it's that.
But I thought that limiting one special url as referrer and deny
everybody else in .htaccess in the target folder was the most secure
way to solve this?
Like:
Options +FollowSymLinks
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://(www\.)?my-domain-here.com/the-
folder/the-only-allowed-page.php [NC]
RewriteRule (.*)http://www.my-domain-here.com/path/to/redirect/
No, it isn't. I can still access that page directly without ever being on
'the-only-allowed-page.php'. The 'referer' is just a header browsers may
or may not send (I usually don't send one, and many firewalls block it),
with arbitrary data the current UA deems fit for it. Fun for statistics
(allthough there is something called referer-spam), totally unsuited for
security.
If you want this for security, you might as well ask a user directly:'Are
you a registered user (yes/no)?', and trust their answer without question.
To give you an example:
$handle = fsockopen('www.example.com',80);
$request = "GET /your/secured/folder/ HTTP/1.1\r\nHost: www.example.com\r\nReferer: http://www.example.com/i/just/claim/...r\nConnection:
close\r\n\r\n";
fwrite($handle,$request);
while (!feof($handle)) {
echo fgets($handle);}
--
Rik Wasmus
Posted on Usenet, not any forum you might see this in.
Ask Smart Questions:http://tinyurl.com/anel- Skjul sitert tekst -
- Vis sitert tekst -
Oh, I get your point. Thanks for stopping me from doing something
really stupid... :-) (*blush*)
I have to learn how to use sessions.
By the way: Is it advicable to add a session unregister event upon
page leave, or timeout?
Nosferatum <Jo*********@gmail.comwrote:
Oh, I get your point. Thanks for stopping me from doing something
really stupid... :-) (*blush*)
I have to learn how to use sessions.
By the way: Is it advicable to add a session unregister event upon
page leave, or timeout?
Well, session_unregister() doesn't have to be used anymore.
If you're users can be bothered to click a logout button, by all means
destory the session immediately on that logout page. Most of your users
won't bother, so set the timeout on sessions to something that suits you
so they will be trashed by the garbage collector. Keep in mind that simply
having a started session doesn't mean it's valid, keep track of valid
sessions by either a $_SESSION variable or possibly a file/database/etc.
--
Rik Wasmus
Posted on Usenet, not any forum you might see this in.
Ask Smart Questions: http://tinyurl.com/anel This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: JW |
last post by:
I have a directory protected with .htaccess / .htpasswd. After I'm validated, I
run a php script which bombs out when trying to write a file to that directory.
If I chmod 777 on the directory...
|
by: Nicolas C. |
last post by:
Hello,
I'd like to make some download speed limitation on some of my files
using PHP. I know that an Apache module can do that, but i cannot access
my ISP Apache configuration.
My idea was to...
|
by: Nicolas C. |
last post by:
Hello,
I'd like to make some download speed limitation on some of my files
using PHP. I know that an Apache module can do that, but i cannot access
my ISP Apache configuration.
My idea was to...
|
by: mrbog |
last post by:
As a security measure, I'd like .php files to only execute on my web
site if they're owned by a certain user. (Linux server). Can I do
that?
|
by: deko |
last post by:
I have a login script that creates a SESSION for authenticated users. But
authenticated users still need access to particular directories (which
contain files for download). My hosting provider...
|
by: jason |
last post by:
Hi Guys,
I have an interesting challenge:
We are about to begin building magazine adverts with specific query string
urls attached to a particular boat page which let us know which magazine...
|
by: ABC |
last post by:
How can I deny all users directly access image files from images folder?
|
by: Nu |
last post by:
I want to protect myself from if someone with a fast connection hammers my
site. It's not denial of service attacks, but offline downloaders (of course
that don't show they're offline downloaders...
|
by: Nosferatum |
last post by:
Hi, on my Apache server I want to limit access to a certain file ouput
(from php/MySQL) to just one IP. The idea is that users from another
site should click a link whic redirects them to my...
|
by: isladogs |
last post by:
The next Access Europe meeting will be on Wednesday 7 Feb 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:30 (7.30PM).
In this month's session, the creator of the excellent VBE...
|
by: DolphinDB |
last post by:
The formulas of 101 quantitative trading alphas used by WorldQuant were presented in the paper 101 Formulaic Alphas. However, some formulas are complex, leading to challenges in calculation.
Take...
|
by: DolphinDB |
last post by:
Tired of spending countless mintues downsampling your data? Look no further!
In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
|
by: Aftab Ahmad |
last post by:
Hello Experts!
I have written a code in MS Access for a cmd called "WhatsApp Message" to open WhatsApp using that very code but the problem is that it gives a popup message everytime I clicked on...
|
by: Aftab Ahmad |
last post by:
So, I have written a code for a cmd called "Send WhatsApp Message" to open and send WhatsApp messaage. The code is given below.
Dim IE As Object
Set IE =...
|
by: isladogs |
last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM).
In this month's session, we are pleased to welcome back...
|
by: marcoviolo |
last post by:
Dear all,
I would like to implement on my worksheet an vlookup dynamic , that consider a change of pivot excel via win32com, from an external excel (without open it) and save the new file into a...
|
by: isladogs |
last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM).
In this month's session, we are pleased to welcome back...
|
by: ArrayDB |
last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
| |