Solved

Can I protect images and .htm documents with cookies?

Posted on 2004-08-23
13
325 Views
Last Modified: 2012-06-22
Hello.

I use cookies to allow access to authenticates users to my CMS administration.  

Although the PHP scripts themselves are protected, the images and .htm documents in the /admin folder are not.

How can I limit access to ALL files in a directory and only alow those with the right cookie to access them?

I know this can be done without cookies using .htaccess but I don't want the URL to look like username:password@mysite.com/admin

I am using Linux/Apache/mySQL/PHP etc.

Thanks!
0
Comment
Question by:hankknight
  • 4
  • 4
  • 2
  • +2
13 Comments
 
LVL 48

Expert Comment

by:hernst42
ID: 11869904
for this you need a apache module which checks the cookie against the database for validity and then grants the user access or denys the access. I don't know of such a apache-module which could do this in an easy way. Maybe you even have to program it by your own. Checking only for the precence of the cookie or a valid structure of the cookie is not enough as those settings can easy be generated by someone who wnats to access the directory.
0
 
LVL 33

Expert Comment

by:shalomc
ID: 11870590
hankknight,
The best way to protect the admin folder is to use basic authentication - the very .htaccess that you want to avoid using.
If you create links like http://mysite.com/admin , the person will be prompted with a user and password challenge and there is nothing wrong with that.
I suppose that you planned to create a role called admin in your CMS, and to provide access to the admin area to whoever exists in the admin group. If that is your plan, you will have to develop your own apache module to match the authenticated session cookie with the admin group.
Another option, if you have the budget for it, is to implement a web access management package, like Tivoli Access Manager, and develop the module as a plugin to that system.

Cheers,
ShalomC
0
 
LVL 11

Expert Comment

by:neester
ID: 11870840
There is another way!

Its very fast and very clever....

Give me 10 minutes :)
0
 
LVL 11

Assisted Solution

by:neester
neester earned 125 total points
ID: 11870963
Hey HanKJKnight,

YOU can use .HTACCESS in otherways to do what you want...

HERE IS A SOULUTION - this will work for all images & HTML documents in the ADMIN FOLDER:

setup the .htaccess file in teh directory you want to protect.

now add this code: (between the dashed lines)
---------------------------
ReWriteEngine On
ReWriteRule ^([a-zA-Z0-9]+).jpg$ loadimage.php?path=$1&type=jpg
ReWriteRule ^([a-zA-Z0-9]+).gif$ loadimage.php?path=$1&type=gif
ReWriteRule ^([a-zA-Z0-9]+).bmp$ loadimage.php?path=$1&type=bmp
ReWriteRule ^([a-zA-Z0-9]+).htm$ loadimage.php?path=$1&type=htm
ReWriteRule ^([a-zA-Z0-9]+).html$ loadimage.php?path=$1&type=html
---------------------------
I could combine those into one line, but i cant test the REGEX at the moment so this will do for now...


THEN create a page called "loadimage.php"
in that put this code:
----------------------------
<?
      $IMAGEPATH = $_GET['path'] . '.' . $_GET['type'];
      
      $LOGGEDIN = true;
      
      if ($LOGGEDIN == true)
      {
            
            $ABSPATH = '/home/neester/public_html/eac/';
            $FILE = file_get_contents($ABSPATH.$IMAGEPATH);
            if ($FILE)
            {
                  // FILE EXISTS
                  
                  switch($_GET['type'])
                  {
                        case 'jpg': header("Content-type: image/jpg\n"); break;
                        case 'gif': header("Content-type: image/gif\n"); break;
                        case 'bmp': header("Content-type: image/bmp\n"); break;
                        case 'htm':
                        case 'html': header("Content-type: text/html\n"); break;
                  
                  }
                  
                  print($FILE);
            
            }else{
                  // NO FILE!
                  echo("ERROR: $ABSPATH.$IMAGEPATH");
            }
            
      }else{
            // NO PERMISSION
            header("Location: http://yoursite.com/nopermission.html");
      }
?>
--------------------------------


0
 
LVL 11

Expert Comment

by:neester
ID: 11870994
OK Let me explain how that works!

BTW - I Accidentlly left my absolute path in there for my Box - so change that to the ABSPATH on your server.


THE WAY IT WORKS!


The HTACCESS intercepts the REQUEST for the JPG/GIV/BMP/HTML/HTM file...

it then redirects them to the PHP file (all behind the scences, its all on the server, their PC wont notice a THING!)
The PHP file then determines if they are logged in - by checking the cookies etc... you need to modify that file to your liking...

THEN...

If they are loggedin.
It will LOAD THE FILE up in the PHP and then OUTPUT the Binary data to the user!
SIMPLE!

IF they aren't logged in, it will just send them to another image...
you can make the image something like TRIPODS method - saying: IMAGE HOSTED BY TRIPOD etc...
If the file doesnt exist, same thing :)

You can modify that code however you like.


I HAVE a demo setup if you want to have a look - or if you cant get it working.
just let me know!


CHEERS!
- neester
0
 
LVL 33

Expert Comment

by:shalomc
ID: 11871057
That's clever.
You still have to develop some custom code to verify the authenticated session's permissions to the folder, instead of the
$LOGGEDIN = true;
 line

but it will be easier than coding an apache module.


ShalomC
0
DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

 
LVL 18

Accepted Solution

by:
arantius earned 375 total points
ID: 11871336
.htaccess in admin:

php_value auto_prepend_file check_cookie.php
AddType application/x-httpd-php .php .htm .gif .jpg

(whatever extensions you need here)

check_cookie.php:

<?
//logic here to check for the cookie
if (!$cookieIsOK) {
  print "Access denied";
  die;
  //or possibly: header("Location: /notallowed.htm");
}
?>
0
 
LVL 16

Author Comment

by:hankknight
ID: 11871367
Thanks.

I was really hoping that there would be an apache module-- I am sure that more people than just me would use it.

I like your creative approach, neester.  Wouldn't it be easier/simpler to just put the following in .htaccess?

----------------------------------------------------
                ForceType application/x-httpd-php
                php_value auto_append_file "/home/webadmin/domain.com/html/authenticate.php"
----------------------------------------------------

  where authenticate.php is
----------------------------------------------------
<php if ( put cookie check here ) exit; else {header("Location: http://$_SERVER["HTTP_HOST"]/nopermission.html");exit; }
----------------------------------------------------

What do you think?
0
 
LVL 16

Author Comment

by:hankknight
ID: 11871399
I typed my comment before reading arantius comment.

Looks like we have the same idea.
0
 
LVL 18

Expert Comment

by:arantius
ID: 11871403
I think that would work great hank.  That's what I posted 2 minutes ago =)
0
 
LVL 16

Author Comment

by:hankknight
ID: 11871587
Yea, like I said, it took me 10 mins to write, & when I posted it I saw your comment above mine.

This will process even images as PHP scripts.  What kind of server load and time added to return an image would this add?
0
 
LVL 16

Author Comment

by:hankknight
ID: 11871668
By the way, in my example, I used auto_append_file.  auto_prepend_file, as arantius suggested works much better, as it is processed before, not after the image is called.
0
 
LVL 11

Expert Comment

by:neester
ID: 11872713
Hey HankKnight,

Yeah that woudl work too.
I was just thinking in terms of a prev. system I built.
I had custom input variables for each file etc...

You can use my method if you like - it is just a creative suggestion :)

glad you understand what the code does though :)
cheers mate

sorry bed time  :P 3am here
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Using SQL Scripts we can save all the SQL queries as files that we use very frequently on our database later point of time. This is one of the feature present under SQL Workshop in Oracle Application Express.
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
This tutorial demonstrates how to identify and create boundary or building outlines in Google Maps. In this example, I outline the boundaries of an enclosed skatepark within a community park.  Login to your Google Account, then  Google for "Google M…
The is a quite short video tutorial. In this video, I'm going to show you how to create self-host WordPress blog with free hosting service.

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now