Apache: Authentication using cookies

Discussion in 'Apache' started by wcnnz, Apr 7, 2010.

0
  1. #1
    Hey guys,
    I have a problem, and 3 hours straight of googling couldn't answer!

    Here's the situation:
    I have a login page (php) that sets cookies if the username/password are found in the sql database.
    Then the index.php for each page looks for these cookies, and if it doesnt have them, then it wont allow them to see what is in the directory.

    My previous situation was:
    I simply setup a .htaccess with basic authentication to handle all this, but i was getting sick of Handleing all the password/email changes myself. hence why I created the php pages.

    The Problem:
    The problem is, that php/sql allows the users to change their own password/email/whatever, and the index.php pages will stop people who don't have the cookies seeing the page (the directory listing), BUT if they know what they're looking for, then they can still access it.

    E.G.:
    (a person who has not signed in)
    trys to view /example/ - and cant see anything, because of the index.php page
    trys to view /example/file.txt - they can see this, nothing is denyin them access.

    WHAT I WANT:
    A way of using .htaccess to check for the cookies, and deny users who have not signed in.
    something like:
    if (isset($_COOKIE['cookiename']) && $_COOKIE['cookiename'] == MD5('hello')) {
    they can view whatever is in the directory;
    }else{
    echo "You cannot view this";
    }
    only I need that for the .htaccess file...
    Please help!
    Thanks,
    wcnnz
     
    wcnnz, Apr 7, 2010 IP
  2. esupportsnet

    esupportsnet Greenhorn

    Messages:
    34
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    16
    #2
    Hello,

    For peventing diect access to your files, cant you set hotlink prevention to your account through .htaccess? Thats the best option here.
     
    esupportsnet, Apr 8, 2010 IP
  3. wcnnz

    wcnnz Peon

    Messages:
    3
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #3
    That does sound like a good option. I did a bit of looking around on the internet, and was wondering how I do that? Anybody know of a tutorial or something? Maybe you could write one? =P
    Are you sure that hotlink prevention would work so that if the users are signed in, it will let them view the files?

    EDIT: Yeah, the problem is I do not know:
    a)How to do this and
    b)If you can change it based on the cookies...

    because I still want the users (once signed in) to be able to access the files...
    ...but then again I also want to block off some files completely (like the .htaccess file)
     
    Last edited: Apr 8, 2010
    wcnnz, Apr 8, 2010 IP
  4. wcnnz

    wcnnz Peon

    Messages:
    3
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #4
    FOUND THE ANSWER. THANKS FOR THE HOTLINKING IDEA! Because of that I came across this:

    RewriteEngine On
    RewriteBase /
    RewriteCond %{HTTP_COOKIE} !^.*cookie-name.*$ [NC]
    RewriteRule .* /login-error/set-cookie-first.cgi [NC,L]

    Just chucked that in the .htaccess file, made a few configurations, and BAM, it worked.
     
    wcnnz, Apr 18, 2010 IP