1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Restricting access to a directory after user has been authenticated

Discussion in 'Apache' started by bipcuds, Jun 23, 2010.

0
  1. #1
    Hi All,

    I have written a user front-end in Perl that has an authentication script (in Perl) to allow a user to log in (password stored in back-end DB). Once that is successful, a pair of cookies are set:

    setCookie("first", "$digest",,,);
    set Cookie("second", "$session_key",,,);

    plus the session key/ID is stored in the user's record in the DB.

    However, I also have static Web pages and directories for each user stored in "/data/username"; I have a symlink under "htdocs" that points to the real data location (i.e. "/data").

    I notice that I can easily hand-modify a URL to point to another user's directory and gain access, which is of course undesirable :)

    Is there a way to have Apache automatically allow/deny access to contents in a user's private data directory, based on the authentication/cookies that have already been set via authentication?

    NOTE: Apache V2.0 Authentication Module Auth MemCookie (http://authmemcookie.sourceforge.net/) *might* provide a solution to restricting directory access, but the few examples mention using PHP to handle the access control to an explicit URL. What I need is a transparent way (and maybe a short but explicit example) for Apache to transparently allow/deny access to any URL that is inside a user's data directory.

    Many thanks in advance!
    Keith
     
    bipcuds, Jun 23, 2010 IP