|
|
Posted by Nosferatum on 03/15/07 08:13
On 15 Mar, 08:27, Rik <luiheidsgoe...@hotmail.com> wrote:
> Nosferatum <John.Ola...@gmail.com> wrote:
> > I am in need of a solution on how to solve this problem:
>
> > I need to limit access to six different folders. My users are
> > validated in a system which check their prescence with a couple of
> > variables in a db and then forwards them if they exist. Based upoen
> > their status they are redirected to one of six folders.
> > Users belonging to group A shall get access to folder A, but not B, C
> > etc. It must be possible to limit access in this order by referrer,
> > but I really don't knwo how to do this. Perhaps in a combination with
> > a .htaccess file?
> > Right now it's not a big deal for for.example users from group C to
> > explore the folders belonging to group A,B,D etc. And that's my big
> > problem, since each folder should be accessible to ONLY one group.
>
> Do _NOT_ use referer for this. If there's something that is easily forged
> it's that. I'm not entirely clear what you mean by 'folders'. Do you mean
> they can simply get to the contents? You say the users are validated, so
> let's say a session is started, ad you;ve saved a variable like
> $_SESSION['group'] = 'A'. Now check in folder 'A' wether they belong to
> this group, and refuse access to them if this isn't the case. In a
> .htaccess file this isn't possible. I'd force a single point of entry in
> the folder, which checks this value, sends a forbidden header and exits if
> they aren't validated or belong to the wrong group. If they are valid
> visitors, let it continue and serve the requested files.
> --
> Rik Wasmus
> Posted on Usenet, not any forum you might see this in.
> Ask Smart Questions:http://tinyurl.com/anel
But I thought that limiting one special url as referrer and deny
everybody else in .htaccess in the target folder was the most secure
way to solve this?
Like:
Options +FollowSymLinks
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://(www\.)?my-domain-here.com/the-
folder/the-only-allowed-page.php [NC]
RewriteRule (.*) http://www.my-domain-here.com/path/to/redirect/
Navigation:
[Reply to this message]
|