Jump to content

Script Or .htaccess To Restrict Access

editor

By editor
in Scripting Talk

 Share

Recommended Posts

editor Contributor

editor

Posted
Posted

I'm not sure if this concerns scripting or .htaccess, so I'll start here.

 

Here's a scenario:

 

I have a file in a sub-directory (mydomain/subdirectory/file.html).

 

I have a page (mydomain/page.html) with a link to mydomain/subdirectory/file.html.

 

I would like visitors to be able to access /file.html through my link, but not by entering the corresponding URL in their browser for direct access (from a bookmark at a later time, for example). In other words, I want access to everything in that particular subdirectory to be LOCAL ACCESS ONLY, disallowing links or direct access from outside my Web site. Is this possible?

Link to comment
Share on other sites
LisaJill Mentor

LisaJill

Posted
Posted

You can't stop people from bookmarking it. You can make it harder by dumping it in a frame (which I'll keep my personal opinion about quiet :P ) and there may be ways to munge it. The closest thing I could thnk to do this (and I'm not a programmer, so I'm not sure it can) is have your page create a session when a visitor hits, then if they have an active session, allow them to go through that link - no active session, link doesn't work.

 

I don't know if that is really possible or how to pull it off though.....

 

This was brought to you by she-who-is-not-really-that-helpful? =)

Link to comment
Share on other sites
schussat Collaborator

schussat

Posted
Posted
I would like visitors to be able to access /file.html through my link, but not by entering the corresponding URL in their browser for direct access (from a bookmark at a later time, for example). In other words, I want access to everything in that particular subdirectory to be LOCAL ACCESS ONLY, disallowing links or direct access from outside my Web site. Is this possible?

I think you can do this in .htaccess, by allowing access to the file based on referrer: If the referrer doesn't match your linking file, then access is disallowed.

 

Try something like this in an .htaccess file in the directory you want to protect:

 

>SetEnvIfNoCase Referer "domain\.org" local_ref=1
Order Allow,Deny
Allow from env=local_ref

 

You may be able to even put the whole filename into the allowed referer. Could do the trick.

Link to comment
Share on other sites
editor Contributor

editor

Posted
  • Author
Posted
I think you can do this in .htaccess, by allowing access to the file based on referrer: If the referrer doesn't match your linking file, then access is disallowed.

 

Try something like this in an .htaccess file in the directory you want to protect:

 

>SetEnvIfNoCase Referer "domain\.org" local_ref=1
Order Allow,Deny
Allow from env=local_ref

 

You may be able to even put the whole filename into the allowed referer. Could do the trick.

 

Perfect! ;) I gave it a try and it appears to do exactly what I want.

 

Do you have any suggestions concerning where I can learn more about .htaccess and all the things like this that one can do with it? An online guide, perhaps?

 

Many thanks for such a simple and elegant solution!

Link to comment
Share on other sites
malesims Explorer

malesims

Posted
Posted

Here's one to ponder that I am trying to do:

 

:) I have someone pay a membership fee via PayPal to access 'members only' parts of the website. With PayPal, after they make payment you can send the user to a thank you type page. I would send them to the members registration page where they create their own username and password. When they create their membership they are all set to go. They can go ahead and access the 'members only' pages.

 

;) Here's the kicker. I would like the registration page (www.****/cgi-bin/members/file.cgi) to be only accessed via PayPal's (www.paypal.com/cgi-bin/webscr). BUT, I would like www.****/cgi-bin/members/file.cgi?edit to be accessed from anywhere. Does that make sense? lol

Link to comment
Share on other sites
schussat Collaborator

schussat

Posted
Posted

Editor: I think that most well-behaved robots do send a referrer string, so this ought to work.

 

Malesims: I dunno; you could try setting up the referrer blocking for the first full URL, and have a separate "allow from all" statement for the second, but I think this task would be easier if you split the "file" and "file?edit" functions into separate scripts in different directories.

Link to comment
Share on other sites
editor Contributor

editor

Posted
  • Author
Posted

Here's one for the "It seemed like a good idea at the time" department. I installed the .htaccess code above on a couple of directories on January 1st and almost immediately began receiving complaints about inaccessible pages -- even when visitors clicked internal links to reach them. After some research I discovered that a number of my visitors are running security software which disables referrer logging. The Opera browser can do this, and so can Firefox with the Web Developer extension installed. Apparently Norton Internet Security, ZoneAlarm Pro and a number of other security programs can also disable referrer logging, and if this option has been knowingly or unknowingly implemented by Web surfers, this nifty little .htaccess code will stop them dead in their tracks!

 

Rather than trying to convince visitors to re-enable referrer logging (assuming they even know what it is and how to do it), I chose to remove the code.

 

Back to the drawing board, as they say! :P

Link to comment
Share on other sites
zathros Newbie

zathros

Posted
Posted

Hey all.

Thanks for the info about referrer tags, editor. Reading the thread, I thought that solution would probably work for you. However, you still probably shouldn't rely on it for super important stuff, since, like you mentioned, the referer tag can be altered with software working with the browser.

 

Actually, for what it's worth, I really liked TCH-Lisa's idea. (Though, I might be biased because I've done stuff like that a lot in PHP)

 

I think it'd be pretty easy, and the best part is that you could use the system for more complex stuff later if it turns out you need to. (For example, a full login system or displaying different content based on a user's level... etc)

 

Here's what I'd do:

First: If you aren't familiar with this, read a little about PHP sessions at php.net

 

Next, try something like this in your mydomain/page.html

><?php
session_start();

if (!isset($_SESSION['active'])) {
  $_SESSION['active'] = 1;
} 
?> 
CODE OF WEB PAGE HERE

 

And try something like this in your mydomain/subdirectory/file.html

><?php
session_start();

if(!isset($_SESSION['active']) || $_SESSION['active'] != 1) {
   echo "Direct page access is not allowed.";
}
else
{
?>
ENTIRE HTML OF WEB PAGE HERE
<?php
}
?>

 

Oh, and unless you put in a .htaccess that you want .html files parsed with PHP, you'll have to change the extension of your files to .php.

 

It's not fullproof, and perhaps someone else has comments on it, but I hope it helps.

Link to comment
Share on other sites
schussat Collaborator

schussat

Posted
Posted

Neat solution, Zathros. Come to think of it, I think I came across a tutorial to do something like this on Webmonkey a while back. I had forgotten all about it. One potential downside that occurs to me is that it won't prevent users from directly linking to non-HTML content like images or PDFs -- but only if they know the filenames, that is, so maybe it's not such a big deal.

Link to comment
Share on other sites
zathros Newbie

zathros

Posted
Posted
One potential downside that occurs to me is that it won't prevent users from directly linking to non-HTML content like images or PDFs -- but only if they know the filenames, that is, so maybe it's not such a big deal.

 

You're right about that. If you're after protecting images and stuff like that, you should also stick a blank index.html in the directory or do some .htaccess magic to prevent directory listing. If you don't use super-obvious file names for your images and all the pages that display the images are protected with the above session system, I think it'd be practically impossible for someone to guess the direct link.

 

If it's not possible to prevent giving the link away in your other pages, it's still probably "good enough" depending on how important it is to protect these things. :-)

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...