Hi Everyone,

I am having a tough time figuring out mod_rewrite and I'm not a big fan of regular expressions. I think my issue can be solved, but I'm afraid I have to ask for some help to get it done in a reasonable time frame.

My issue is this. I am running a site with secure records on it that are accessible with varying levels of access (admin, staff, public, etc). Securing the records is no problem with PHP.

Every record, however, is linked to a file in a web accessible folder (I don't use BLOBs rather a link in the file system because I had issues with BLOBs - another story). However, I do not want these files accessible unless they come from a link within the site.

For example, the directory I want to protect is /protected. How could I write a rule that says do not allow access to http://www.mysite.com/protected unless it comes from a link within http://www.mysite.com/ ?

I know I would use mod_rewrite and .htaccess (or httpd.conf), but ma having trouble figuring out implementing the rule. Can any of you all help?

Many thanks in advance!

Hi!

You can easily do that in PHP.
If you have (e.g.) an http://www.mysite.com/protected/index.php that file could contain a check, from where the user is coming. If he's coming from somewhere on http://www.mysite.com/ direct him to the protected content:

<?
$referingPage=$_SERVER["HTTP_REFERER"];
$myReferer='http://www.mysite.com/';
$referingPage=substr($referingPage,0,strlen($myReferer));
if($referingPage==$myReferer){
//code for displaying protected stuff - something like:
//header("Location: protected.php"); or just echoing the protected content:
//echo 'You are allowed to read this!';
}
else{
echo 'This area is protected!';
}
?>

Cheers - Pit

Bear in mind that for more than nominal security, referer is no use as it comes from the browser and so cannot be trusted.

Hi!

Afaik, there is no way to manipulate the referer variable, so where is the security problem:confused:

Cheers - Pit

Do you mean there is no way to manipulate the referer value if you are an honest user using IE? That may be true but is far from sufficient to make it secure. Unless Apache provides additional referer functionality over and above what is defined in the HTTP protocol this information is no more reliable than the browser string for example which is equally easy to fake.

Edit: see link for more details

Referer Problem (http://www.networkcomputing.com/1105/1105ws12.html?ls=NCJS_1105bt)

Edit: Just remembered also some privacy software strips referer info for security reasons so these users would be excluded by a method based on referer.

Hi, thanks for the replies. Well, the PHP is a solid answer, but does not solve my problem. Basically, the reason I need to do a directory-level rewrite is because I am looking to protect files other than PHP. For instance, I may have a record that refers to a row in my database, http://www.mysite.com/load_object.php?object_id=12. This page will either display the record details or give a permission denied error (I do this using session variables). Now, a valid user should be able to link to a file called http://www.mysite.com/protected/image12.jpg, but an invalid user (one that a.) hot links, or b.) pastes the URL into a browser) should not be able to have access. Because we are talking about photos, pictures, et. al. I cannot write protective code within the file.....sorry, if I didn't make it clear the first time. I have copyright and consent issues with these objects and have to protect them with the utmost security in mind....

Many thanks!

It is possible to protect other files using a PHP script, provided you know what content type they are. For example a PHP script call can return a jpeg image by sending the appropriate header then loading the .jpg file from disk and outputting it to the browser. Provided the .jpg file is outside the web tree (i.e. the user is not able to download it direct without going through the PHP script) this is about as secure as you can get and the browser generally knows no different compared to accessing it directly.

Essentially the same as storing the data in the db and accessing it via a script but the db here is just the file system.

This should allow you to check for session variable/login/whatever you like in the PHP script before allowing the download.

HTH,

Dai

Thanks for the response. Okay, I see what you are saying. Simply embed rules in PHP then deliver an image from outside of the DocumentRoot (Web Root) directory? Yes, this would work. However, we have an infinite number of MIME/File Types and the chosen method of delivery is to have a link to the object. For instance, a movie would be htttp://www.mysite.com/protected/mymovie.mpg or an image would be http://www.mysite.com/protected/myimage.jpg. I know there is a way to do this in mod_rewrite and .htaccess and that would be the best solution for this instance since we are NOT delivering media embedded in PHP pages.

Thanks!

yes you got ht idea.

wrt the original method, you are welcome to try it of course, but the link I posted above explains why a referer based check may well be fundamentally flawed for protecting against anyone other than casual browsers.