Solved

Can I protect images and .htm documents with cookies?

Posted on 2004-08-23
13
324 Views
Last Modified: 2012-06-22
Hello.

I use cookies to allow access to authenticates users to my CMS administration.  

Although the PHP scripts themselves are protected, the images and .htm documents in the /admin folder are not.

How can I limit access to ALL files in a directory and only alow those with the right cookie to access them?

I know this can be done without cookies using .htaccess but I don't want the URL to look like username:password@mysite.com/admin

I am using Linux/Apache/mySQL/PHP etc.

Thanks!
0
Comment
Question by:hankknight
  • 4
  • 4
  • 2
  • +2
13 Comments
 
LVL 48

Expert Comment

by:hernst42
Comment Utility
for this you need a apache module which checks the cookie against the database for validity and then grants the user access or denys the access. I don't know of such a apache-module which could do this in an easy way. Maybe you even have to program it by your own. Checking only for the precence of the cookie or a valid structure of the cookie is not enough as those settings can easy be generated by someone who wnats to access the directory.
0
 
LVL 32

Expert Comment

by:shalomc
Comment Utility
hankknight,
The best way to protect the admin folder is to use basic authentication - the very .htaccess that you want to avoid using.
If you create links like http://mysite.com/admin , the person will be prompted with a user and password challenge and there is nothing wrong with that.
I suppose that you planned to create a role called admin in your CMS, and to provide access to the admin area to whoever exists in the admin group. If that is your plan, you will have to develop your own apache module to match the authenticated session cookie with the admin group.
Another option, if you have the budget for it, is to implement a web access management package, like Tivoli Access Manager, and develop the module as a plugin to that system.

Cheers,
ShalomC
0
 
LVL 11

Expert Comment

by:neester
Comment Utility
There is another way!

Its very fast and very clever....

Give me 10 minutes :)
0
 
LVL 11

Assisted Solution

by:neester
neester earned 125 total points
Comment Utility
Hey HanKJKnight,

YOU can use .HTACCESS in otherways to do what you want...

HERE IS A SOULUTION - this will work for all images & HTML documents in the ADMIN FOLDER:

setup the .htaccess file in teh directory you want to protect.

now add this code: (between the dashed lines)
---------------------------
ReWriteEngine On
ReWriteRule ^([a-zA-Z0-9]+).jpg$ loadimage.php?path=$1&type=jpg
ReWriteRule ^([a-zA-Z0-9]+).gif$ loadimage.php?path=$1&type=gif
ReWriteRule ^([a-zA-Z0-9]+).bmp$ loadimage.php?path=$1&type=bmp
ReWriteRule ^([a-zA-Z0-9]+).htm$ loadimage.php?path=$1&type=htm
ReWriteRule ^([a-zA-Z0-9]+).html$ loadimage.php?path=$1&type=html
---------------------------
I could combine those into one line, but i cant test the REGEX at the moment so this will do for now...


THEN create a page called "loadimage.php"
in that put this code:
----------------------------
<?
      $IMAGEPATH = $_GET['path'] . '.' . $_GET['type'];
      
      $LOGGEDIN = true;
      
      if ($LOGGEDIN == true)
      {
            
            $ABSPATH = '/home/neester/public_html/eac/';
            $FILE = file_get_contents($ABSPATH.$IMAGEPATH);
            if ($FILE)
            {
                  // FILE EXISTS
                  
                  switch($_GET['type'])
                  {
                        case 'jpg': header("Content-type: image/jpg\n"); break;
                        case 'gif': header("Content-type: image/gif\n"); break;
                        case 'bmp': header("Content-type: image/bmp\n"); break;
                        case 'htm':
                        case 'html': header("Content-type: text/html\n"); break;
                  
                  }
                  
                  print($FILE);
            
            }else{
                  // NO FILE!
                  echo("ERROR: $ABSPATH.$IMAGEPATH");
            }
            
      }else{
            // NO PERMISSION
            header("Location: http://yoursite.com/nopermission.html");
      }
?>
--------------------------------


0
 
LVL 11

Expert Comment

by:neester
Comment Utility
OK Let me explain how that works!

BTW - I Accidentlly left my absolute path in there for my Box - so change that to the ABSPATH on your server.


THE WAY IT WORKS!


The HTACCESS intercepts the REQUEST for the JPG/GIV/BMP/HTML/HTM file...

it then redirects them to the PHP file (all behind the scences, its all on the server, their PC wont notice a THING!)
The PHP file then determines if they are logged in - by checking the cookies etc... you need to modify that file to your liking...

THEN...

If they are loggedin.
It will LOAD THE FILE up in the PHP and then OUTPUT the Binary data to the user!
SIMPLE!

IF they aren't logged in, it will just send them to another image...
you can make the image something like TRIPODS method - saying: IMAGE HOSTED BY TRIPOD etc...
If the file doesnt exist, same thing :)

You can modify that code however you like.


I HAVE a demo setup if you want to have a look - or if you cant get it working.
just let me know!


CHEERS!
- neester
0
 
LVL 32

Expert Comment

by:shalomc
Comment Utility
That's clever.
You still have to develop some custom code to verify the authenticated session's permissions to the folder, instead of the
$LOGGEDIN = true;
 line

but it will be easier than coding an apache module.


ShalomC
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 18

Accepted Solution

by:
arantius earned 375 total points
Comment Utility
.htaccess in admin:

php_value auto_prepend_file check_cookie.php
AddType application/x-httpd-php .php .htm .gif .jpg

(whatever extensions you need here)

check_cookie.php:

<?
//logic here to check for the cookie
if (!$cookieIsOK) {
  print "Access denied";
  die;
  //or possibly: header("Location: /notallowed.htm");
}
?>
0
 
LVL 16

Author Comment

by:hankknight
Comment Utility
Thanks.

I was really hoping that there would be an apache module-- I am sure that more people than just me would use it.

I like your creative approach, neester.  Wouldn't it be easier/simpler to just put the following in .htaccess?

----------------------------------------------------
                ForceType application/x-httpd-php
                php_value auto_append_file "/home/webadmin/domain.com/html/authenticate.php"
----------------------------------------------------

  where authenticate.php is
----------------------------------------------------
<php if ( put cookie check here ) exit; else {header("Location: http://$_SERVER["HTTP_HOST"]/nopermission.html");exit; }
----------------------------------------------------

What do you think?
0
 
LVL 16

Author Comment

by:hankknight
Comment Utility
I typed my comment before reading arantius comment.

Looks like we have the same idea.
0
 
LVL 18

Expert Comment

by:arantius
Comment Utility
I think that would work great hank.  That's what I posted 2 minutes ago =)
0
 
LVL 16

Author Comment

by:hankknight
Comment Utility
Yea, like I said, it took me 10 mins to write, & when I posted it I saw your comment above mine.

This will process even images as PHP scripts.  What kind of server load and time added to return an image would this add?
0
 
LVL 16

Author Comment

by:hankknight
Comment Utility
By the way, in my example, I used auto_append_file.  auto_prepend_file, as arantius suggested works much better, as it is processed before, not after the image is called.
0
 
LVL 11

Expert Comment

by:neester
Comment Utility
Hey HankKnight,

Yeah that woudl work too.
I was just thinking in terms of a prev. system I built.
I had custom input variables for each file etc...

You can use my method if you like - it is just a creative suggestion :)

glad you understand what the code does though :)
cheers mate

sorry bed time  :P 3am here
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Uploading files to the web server has become common part of almost any kind of web application. People use different technologies to solve this, but regardless of the technology used, it is always useful to have some kind of progress indicator shown…
Author Note: Since this E-E article was originally written, years ago, formal testing has come into common use in the world of PHP.  PHPUnit (http://en.wikipedia.org/wiki/PHPUnit) and similar technologies have enjoyed wide adoption, making it possib…
The viewer will learn how to count occurrences of each item in an array.
The viewer will get a basic understanding of what section 508 compliance can entail, learn about skip navigation links, alt text, transcripts, and font size controls.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now