469,290 Members | 1,754 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 469,290 developers. It's quick & easy.

Limit access with referrer/htaccess?

I am in need of a solution on how to solve this problem:

I need to limit access to six different folders. My users are
validated in a system which check their prescence with a couple of
variables in a db and then forwards them if they exist. Based upoen
their status they are redirected to one of six folders.
Users belonging to group A shall get access to folder A, but not B, C
etc. It must be possible to limit access in this order by referrer,
but I really don't knwo how to do this. Perhaps in a combination with
a .htaccess file?
Right now it's not a big deal for for.example users from group C to
explore the folders belonging to group A,B,D etc. And that's my big
problem, since each folder should be accessible to ONLY one group.

Anyone with any idea? Code?

Mar 15 '07 #1
5 9975
Rik
Nosferatum <Jo*********@gmail.comwrote:
I am in need of a solution on how to solve this problem:

I need to limit access to six different folders. My users are
validated in a system which check their prescence with a couple of
variables in a db and then forwards them if they exist. Based upoen
their status they are redirected to one of six folders.
Users belonging to group A shall get access to folder A, but not B, C
etc. It must be possible to limit access in this order by referrer,
but I really don't knwo how to do this. Perhaps in a combination with
a .htaccess file?
Right now it's not a big deal for for.example users from group C to
explore the folders belonging to group A,B,D etc. And that's my big
problem, since each folder should be accessible to ONLY one group.
Do _NOT_ use referer for this. If there's something that is easily forged
it's that. I'm not entirely clear what you mean by 'folders'. Do you mean
they can simply get to the contents? You say the users are validated, so
let's say a session is started, ad you;ve saved a variable like
$_SESSION['group'] = 'A'. Now check in folder 'A' wether they belong to
this group, and refuse access to them if this isn't the case. In a
..htaccess file this isn't possible. I'd force a single point of entry in
the folder, which checks this value, sends a forbidden header and exits if
they aren't validated or belong to the wrong group. If they are valid
visitors, let it continue and serve the requested files.
--
Rik Wasmus
Posted on Usenet, not any forum you might see this in.
Ask Smart Questions: http://tinyurl.com/anel
Mar 15 '07 #2
On 15 Mar, 08:27, Rik <luiheidsgoe...@hotmail.comwrote:
Nosferatum <John.Ola...@gmail.comwrote:
I am in need of a solution on how to solve this problem:
I need to limit access to six different folders. My users are
validated in a system which check their prescence with a couple of
variables in a db and then forwards them if they exist. Based upoen
their status they are redirected to one of six folders.
Users belonging to group A shall get access to folder A, but not B, C
etc. It must be possible to limit access in this order by referrer,
but I really don't knwo how to do this. Perhaps in a combination with
a .htaccess file?
Right now it's not a big deal for for.example users from group C to
explore the folders belonging to group A,B,D etc. And that's my big
problem, since each folder should be accessible to ONLY one group.

Do _NOT_ use referer for this. If there's something that is easily forged
it's that. I'm not entirely clear what you mean by 'folders'. Do you mean
they can simply get to the contents? You say the users are validated, so
let's say a session is started, ad you;ve saved a variable like
$_SESSION['group'] = 'A'. Now check in folder 'A' wether they belong to
this group, and refuse access to them if this isn't the case. In a
.htaccess file this isn't possible. I'd force a single point of entry in
the folder, which checks this value, sends a forbidden header and exits if
they aren't validated or belong to the wrong group. If they are valid
visitors, let it continue and serve the requested files.
--
Rik Wasmus
Posted on Usenet, not any forum you might see this in.
Ask Smart Questions:http://tinyurl.com/anel
But I thought that limiting one special url as referrer and deny
everybody else in .htaccess in the target folder was the most secure
way to solve this?
Like:

Options +FollowSymLinks
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://(www\.)?my-domain-here.com/the-
folder/the-only-allowed-page.php [NC]
RewriteRule (.*) http://www.my-domain-here.com/path/to/redirect/
Mar 15 '07 #3
Rik
Nosferatum <Jo*********@gmail.comwrote:
On 15 Mar, 08:27, Rik <luiheidsgoe...@hotmail.comwrote:
>Nosferatum <John.Ola...@gmail.comwrote:
I am in need of a solution on how to solve this problem:
I need to limit access to six different folders. My users are
validated in a system which check their prescence with a couple of
variables in a db and then forwards them if they exist. Based upoen
their status they are redirected to one of six folders.
Users belonging to group A shall get access to folder A, but not B,C
etc. It must be possible to limit access in this order by referrer,
but I really don't knwo how to do this. Perhaps in a combination with
a .htaccess file?
Right now it's not a big deal for for.example users from group C to
explore the folders belonging to group A,B,D etc. And that's my big
problem, since each folder should be accessible to ONLY one group.

Do _NOT_ use referer for this. If there's something that is easily
forged
it's that.

But I thought that limiting one special url as referrer and deny
everybody else in .htaccess in the target folder was the most secure
way to solve this?
Like:

Options +FollowSymLinks
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://(www\.)?my-domain-here.com/the-
folder/the-only-allowed-page.php [NC]
RewriteRule (.*) http://www.my-domain-here.com/path/to/redirect/
No, it isn't. I can still access that page directly without ever being on
'the-only-allowed-page.php'. The 'referer' is just a header browsers may
or may not send (I usually don't send one, and many firewalls block it),
with arbitrary data the current UA deems fit for it. Fun for statistics
(allthough there is something called referer-spam), totally unsuited for
security.

If you want this for security, you might as well ask a user directly:'Are
you a registered user (yes/no)?', and trust their answer without question.

To give you an example:
$handle = fsockopen('www.example.com',80);
$request = "GET /your/secured/folder/ HTTP/1.1\r\nHost:
www.example.com\r\nReferer:
http://www.example.com/i/just/claim/...r\nConnection:
close\r\n\r\n";
fwrite($handle,$request);
while (!feof($handle)) {
echo fgets($handle);
}
--
Rik Wasmus
Posted on Usenet, not any forum you might see this in.
Ask Smart Questions: http://tinyurl.com/anel
Mar 15 '07 #4
On 15 Mar, 09:33, Rik <luiheidsgoe...@hotmail.comwrote:
Nosferatum <John.Ola...@gmail.comwrote:
On 15 Mar, 08:27, Rik <luiheidsgoe...@hotmail.comwrote:
Nosferatum <John.Ola...@gmail.comwrote:
I am in need of a solution on how to solve this problem:
I need to limit access to six different folders. My users are
validated in a system which check their prescence with a couple of
variables in a db and then forwards them if they exist. Based upoen
their status they are redirected to one of six folders.
Users belonging to group A shall get access to folder A, but not B, C
etc. It must be possible to limit access in this order by referrer,
but I really don't knwo how to do this. Perhaps in a combination with
a .htaccess file?
Right now it's not a big deal for for.example users from group C to
explore the folders belonging to group A,B,D etc. And that's my big
problem, since each folder should be accessible to ONLY one group.
Do _NOT_ use referer for this. If there's something that is easily
forged
it's that.
But I thought that limiting one special url as referrer and deny
everybody else in .htaccess in the target folder was the most secure
way to solve this?
Like:
Options +FollowSymLinks
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://(www\.)?my-domain-here.com/the-
folder/the-only-allowed-page.php [NC]
RewriteRule (.*)http://www.my-domain-here.com/path/to/redirect/

No, it isn't. I can still access that page directly without ever being on
'the-only-allowed-page.php'. The 'referer' is just a header browsers may
or may not send (I usually don't send one, and many firewalls block it),
with arbitrary data the current UA deems fit for it. Fun for statistics
(allthough there is something called referer-spam), totally unsuited for
security.

If you want this for security, you might as well ask a user directly:'Are
you a registered user (yes/no)?', and trust their answer without question.

To give you an example:
$handle = fsockopen('www.example.com',80);
$request = "GET /your/secured/folder/ HTTP/1.1\r\nHost: www.example.com\r\nReferer: http://www.example.com/i/just/claim/...r\nConnection:
close\r\n\r\n";
fwrite($handle,$request);
while (!feof($handle)) {
echo fgets($handle);}

--
Rik Wasmus
Posted on Usenet, not any forum you might see this in.
Ask Smart Questions:http://tinyurl.com/anel- Skjul sitert tekst -

- Vis sitert tekst -
Oh, I get your point. Thanks for stopping me from doing something
really stupid... :-) (*blush*)
I have to learn how to use sessions.

By the way: Is it advicable to add a session unregister event upon
page leave, or timeout?

Mar 15 '07 #5
Rik
Nosferatum <Jo*********@gmail.comwrote:
Oh, I get your point. Thanks for stopping me from doing something
really stupid... :-) (*blush*)
I have to learn how to use sessions.

By the way: Is it advicable to add a session unregister event upon
page leave, or timeout?
Well, session_unregister() doesn't have to be used anymore.

If you're users can be bothered to click a logout button, by all means
destory the session immediately on that logout page. Most of your users
won't bother, so set the timeout on sessions to something that suits you
so they will be trashed by the garbage collector. Keep in mind that simply
having a started session doesn't mean it's valid, keep track of valid
sessions by either a $_SESSION variable or possibly a file/database/etc.

--
Rik Wasmus
Posted on Usenet, not any forum you might see this in.
Ask Smart Questions: http://tinyurl.com/anel
Mar 15 '07 #6

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

2 posts views Thread by JW | last post: by
reply views Thread by Nicolas C. | last post: by
1 post views Thread by Nicolas C. | last post: by
3 posts views Thread by mrbog | last post: by
6 posts views Thread by Nosferatum | last post: by
1 post views Thread by CARIGAR | last post: by
reply views Thread by zhoujie | last post: by
reply views Thread by suresh191 | last post: by
reply views Thread by harlem98 | last post: by
1 post views Thread by Geralt96 | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.