editor Posted December 22, 2004 Share Posted December 22, 2004 I'm not sure if this concerns scripting or .htaccess, so I'll start here. Here's a scenario: I have a file in a sub-directory (mydomain/subdirectory/file.html). I have a page (mydomain/page.html) with a link to mydomain/subdirectory/file.html. I would like visitors to be able to access /file.html through my link, but not by entering the corresponding URL in their browser for direct access (from a bookmark at a later time, for example). In other words, I want access to everything in that particular subdirectory to be LOCAL ACCESS ONLY, disallowing links or direct access from outside my Web site. Is this possible? Quote Link to comment Share on other sites More sharing options...
LisaJill Posted December 22, 2004 Share Posted December 22, 2004 You can't stop people from bookmarking it. You can make it harder by dumping it in a frame (which I'll keep my personal opinion about quiet ) and there may be ways to munge it. The closest thing I could thnk to do this (and I'm not a programmer, so I'm not sure it can) is have your page create a session when a visitor hits, then if they have an active session, allow them to go through that link - no active session, link doesn't work. I don't know if that is really possible or how to pull it off though..... This was brought to you by she-who-is-not-really-that-helpful? =) Quote Link to comment Share on other sites More sharing options...
schussat Posted December 22, 2004 Share Posted December 22, 2004 I would like visitors to be able to access /file.html through my link, but not by entering the corresponding URL in their browser for direct access (from a bookmark at a later time, for example). In other words, I want access to everything in that particular subdirectory to be LOCAL ACCESS ONLY, disallowing links or direct access from outside my Web site. Is this possible? <{POST_SNAPBACK}> I think you can do this in .htaccess, by allowing access to the file based on referrer: If the referrer doesn't match your linking file, then access is disallowed. Try something like this in an .htaccess file in the directory you want to protect: >SetEnvIfNoCase Referer "domain\.org" local_ref=1 Order Allow,Deny Allow from env=local_ref You may be able to even put the whole filename into the allowed referer. Could do the trick. Quote Link to comment Share on other sites More sharing options...
LisaJill Posted December 22, 2004 Share Posted December 22, 2004 That was just far simpler and way too clever for me to ever think of. *blushes* Sankoo schussat =) Quote Link to comment Share on other sites More sharing options...
editor Posted December 22, 2004 Author Share Posted December 22, 2004 I think you can do this in .htaccess, by allowing access to the file based on referrer: If the referrer doesn't match your linking file, then access is disallowed. Try something like this in an .htaccess file in the directory you want to protect: >SetEnvIfNoCase Referer "domain\.org" local_ref=1 Order Allow,Deny Allow from env=local_ref You may be able to even put the whole filename into the allowed referer. Could do the trick. Perfect! I gave it a try and it appears to do exactly what I want. Do you have any suggestions concerning where I can learn more about .htaccess and all the things like this that one can do with it? An online guide, perhaps? Many thanks for such a simple and elegant solution! Quote Link to comment Share on other sites More sharing options...
LisaJill Posted December 22, 2004 Share Posted December 22, 2004 google .htaccess, there are a TON. This is the first one that looks pretty good .htaccess guide. Quote Link to comment Share on other sites More sharing options...
schussat Posted December 22, 2004 Share Posted December 22, 2004 Fantastic! I'm glad it worked. Quote Link to comment Share on other sites More sharing options...
boxturt Posted December 22, 2004 Share Posted December 22, 2004 Very cool. Seems to work just fine with images too Quote Link to comment Share on other sites More sharing options...
editor Posted December 22, 2004 Author Share Posted December 22, 2004 Would I be correct in assuming that this .htaccess configuration will not allow access to search engine spiders? Quote Link to comment Share on other sites More sharing options...
malesims Posted December 27, 2004 Share Posted December 27, 2004 Here's one to ponder that I am trying to do: I have someone pay a membership fee via PayPal to access 'members only' parts of the website. With PayPal, after they make payment you can send the user to a thank you type page. I would send them to the members registration page where they create their own username and password. When they create their membership they are all set to go. They can go ahead and access the 'members only' pages. Here's the kicker. I would like the registration page (www.****/cgi-bin/members/file.cgi) to be only accessed via PayPal's (www.paypal.com/cgi-bin/webscr). BUT, I would like www.****/cgi-bin/members/file.cgi?edit to be accessed from anywhere. Does that make sense? lol Quote Link to comment Share on other sites More sharing options...
schussat Posted December 27, 2004 Share Posted December 27, 2004 Editor: I think that most well-behaved robots do send a referrer string, so this ought to work. Malesims: I dunno; you could try setting up the referrer blocking for the first full URL, and have a separate "allow from all" statement for the second, but I think this task would be easier if you split the "file" and "file?edit" functions into separate scripts in different directories. Quote Link to comment Share on other sites More sharing options...
malesims Posted December 28, 2004 Share Posted December 28, 2004 I'm not all that good in splitting a cgi page into two, but it's worth a shot and good practice. Thanks! Quote Link to comment Share on other sites More sharing options...
rebel Posted December 30, 2004 Share Posted December 30, 2004 but somehow i don't think checking the referer alone is enough...... Quote Link to comment Share on other sites More sharing options...
editor Posted January 6, 2005 Author Share Posted January 6, 2005 Here's one for the "It seemed like a good idea at the time" department. I installed the .htaccess code above on a couple of directories on January 1st and almost immediately began receiving complaints about inaccessible pages -- even when visitors clicked internal links to reach them. After some research I discovered that a number of my visitors are running security software which disables referrer logging. The Opera browser can do this, and so can Firefox with the Web Developer extension installed. Apparently Norton Internet Security, ZoneAlarm Pro and a number of other security programs can also disable referrer logging, and if this option has been knowingly or unknowingly implemented by Web surfers, this nifty little .htaccess code will stop them dead in their tracks! Rather than trying to convince visitors to re-enable referrer logging (assuming they even know what it is and how to do it), I chose to remove the code. Back to the drawing board, as they say! Quote Link to comment Share on other sites More sharing options...
zathros Posted January 6, 2005 Share Posted January 6, 2005 Hey all. Thanks for the info about referrer tags, editor. Reading the thread, I thought that solution would probably work for you. However, you still probably shouldn't rely on it for super important stuff, since, like you mentioned, the referer tag can be altered with software working with the browser. Actually, for what it's worth, I really liked TCH-Lisa's idea. (Though, I might be biased because I've done stuff like that a lot in PHP) I think it'd be pretty easy, and the best part is that you could use the system for more complex stuff later if it turns out you need to. (For example, a full login system or displaying different content based on a user's level... etc) Here's what I'd do: First: If you aren't familiar with this, read a little about PHP sessions at php.net Next, try something like this in your mydomain/page.html ><?php session_start(); if (!isset($_SESSION['active'])) { $_SESSION['active'] = 1; } ?> CODE OF WEB PAGE HERE And try something like this in your mydomain/subdirectory/file.html ><?php session_start(); if(!isset($_SESSION['active']) || $_SESSION['active'] != 1) { echo "Direct page access is not allowed."; } else { ?> ENTIRE HTML OF WEB PAGE HERE <?php } ?> Oh, and unless you put in a .htaccess that you want .html files parsed with PHP, you'll have to change the extension of your files to .php. It's not fullproof, and perhaps someone else has comments on it, but I hope it helps. Quote Link to comment Share on other sites More sharing options...
schussat Posted January 6, 2005 Share Posted January 6, 2005 Neat solution, Zathros. Come to think of it, I think I came across a tutorial to do something like this on Webmonkey a while back. I had forgotten all about it. One potential downside that occurs to me is that it won't prevent users from directly linking to non-HTML content like images or PDFs -- but only if they know the filenames, that is, so maybe it's not such a big deal. Quote Link to comment Share on other sites More sharing options...
zathros Posted January 6, 2005 Share Posted January 6, 2005 One potential downside that occurs to me is that it won't prevent users from directly linking to non-HTML content like images or PDFs -- but only if they know the filenames, that is, so maybe it's not such a big deal. <{POST_SNAPBACK}> You're right about that. If you're after protecting images and stuff like that, you should also stick a blank index.html in the directory or do some .htaccess magic to prevent directory listing. If you don't use super-obvious file names for your images and all the pages that display the images are protected with the above session system, I think it'd be practically impossible for someone to guess the direct link. If it's not possible to prevent giving the link away in your other pages, it's still probably "good enough" depending on how important it is to protect these things. :-) Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.