Solved

Can I protect images and .htm documents with cookies?

Posted on 2004-08-23
13
329 Views
Last Modified: 2012-06-22
Hello.

I use cookies to allow access to authenticates users to my CMS administration.  

Although the PHP scripts themselves are protected, the images and .htm documents in the /admin folder are not.

How can I limit access to ALL files in a directory and only alow those with the right cookie to access them?

I know this can be done without cookies using .htaccess but I don't want the URL to look like username:password@mysite.com/admin

I am using Linux/Apache/mySQL/PHP etc.

Thanks!
0
Comment
Question by:hankknight
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 2
  • +2
13 Comments
 
LVL 48

Expert Comment

by:hernst42
ID: 11869904
for this you need a apache module which checks the cookie against the database for validity and then grants the user access or denys the access. I don't know of such a apache-module which could do this in an easy way. Maybe you even have to program it by your own. Checking only for the precence of the cookie or a valid structure of the cookie is not enough as those settings can easy be generated by someone who wnats to access the directory.
0
 
LVL 33

Expert Comment

by:shalomc
ID: 11870590
hankknight,
The best way to protect the admin folder is to use basic authentication - the very .htaccess that you want to avoid using.
If you create links like http://mysite.com/admin , the person will be prompted with a user and password challenge and there is nothing wrong with that.
I suppose that you planned to create a role called admin in your CMS, and to provide access to the admin area to whoever exists in the admin group. If that is your plan, you will have to develop your own apache module to match the authenticated session cookie with the admin group.
Another option, if you have the budget for it, is to implement a web access management package, like Tivoli Access Manager, and develop the module as a plugin to that system.

Cheers,
ShalomC
0
 
LVL 11

Expert Comment

by:neester
ID: 11870840
There is another way!

Its very fast and very clever....

Give me 10 minutes :)
0
Space-Age Communications Transitions to DevOps

ViaSat, a global provider of satellite and wireless communications, securely connects businesses, governments, and organizations to the Internet. Learn how ViaSat’s Network Solutions Engineer, drove the transition from a traditional network support to a DevOps-centric model.

 
LVL 11

Assisted Solution

by:neester
neester earned 125 total points
ID: 11870963
Hey HanKJKnight,

YOU can use .HTACCESS in otherways to do what you want...

HERE IS A SOULUTION - this will work for all images & HTML documents in the ADMIN FOLDER:

setup the .htaccess file in teh directory you want to protect.

now add this code: (between the dashed lines)
---------------------------
ReWriteEngine On
ReWriteRule ^([a-zA-Z0-9]+).jpg$ loadimage.php?path=$1&type=jpg
ReWriteRule ^([a-zA-Z0-9]+).gif$ loadimage.php?path=$1&type=gif
ReWriteRule ^([a-zA-Z0-9]+).bmp$ loadimage.php?path=$1&type=bmp
ReWriteRule ^([a-zA-Z0-9]+).htm$ loadimage.php?path=$1&type=htm
ReWriteRule ^([a-zA-Z0-9]+).html$ loadimage.php?path=$1&type=html
---------------------------
I could combine those into one line, but i cant test the REGEX at the moment so this will do for now...


THEN create a page called "loadimage.php"
in that put this code:
----------------------------
<?
      $IMAGEPATH = $_GET['path'] . '.' . $_GET['type'];
      
      $LOGGEDIN = true;
      
      if ($LOGGEDIN == true)
      {
            
            $ABSPATH = '/home/neester/public_html/eac/';
            $FILE = file_get_contents($ABSPATH.$IMAGEPATH);
            if ($FILE)
            {
                  // FILE EXISTS
                  
                  switch($_GET['type'])
                  {
                        case 'jpg': header("Content-type: image/jpg\n"); break;
                        case 'gif': header("Content-type: image/gif\n"); break;
                        case 'bmp': header("Content-type: image/bmp\n"); break;
                        case 'htm':
                        case 'html': header("Content-type: text/html\n"); break;
                  
                  }
                  
                  print($FILE);
            
            }else{
                  // NO FILE!
                  echo("ERROR: $ABSPATH.$IMAGEPATH");
            }
            
      }else{
            // NO PERMISSION
            header("Location: http://yoursite.com/nopermission.html");
      }
?>
--------------------------------


0
 
LVL 11

Expert Comment

by:neester
ID: 11870994
OK Let me explain how that works!

BTW - I Accidentlly left my absolute path in there for my Box - so change that to the ABSPATH on your server.


THE WAY IT WORKS!


The HTACCESS intercepts the REQUEST for the JPG/GIV/BMP/HTML/HTM file...

it then redirects them to the PHP file (all behind the scences, its all on the server, their PC wont notice a THING!)
The PHP file then determines if they are logged in - by checking the cookies etc... you need to modify that file to your liking...

THEN...

If they are loggedin.
It will LOAD THE FILE up in the PHP and then OUTPUT the Binary data to the user!
SIMPLE!

IF they aren't logged in, it will just send them to another image...
you can make the image something like TRIPODS method - saying: IMAGE HOSTED BY TRIPOD etc...
If the file doesnt exist, same thing :)

You can modify that code however you like.


I HAVE a demo setup if you want to have a look - or if you cant get it working.
just let me know!


CHEERS!
- neester
0
 
LVL 33

Expert Comment

by:shalomc
ID: 11871057
That's clever.
You still have to develop some custom code to verify the authenticated session's permissions to the folder, instead of the
$LOGGEDIN = true;
 line

but it will be easier than coding an apache module.


ShalomC
0
 
LVL 18

Accepted Solution

by:
arantius earned 375 total points
ID: 11871336
.htaccess in admin:

php_value auto_prepend_file check_cookie.php
AddType application/x-httpd-php .php .htm .gif .jpg

(whatever extensions you need here)

check_cookie.php:

<?
//logic here to check for the cookie
if (!$cookieIsOK) {
  print "Access denied";
  die;
  //or possibly: header("Location: /notallowed.htm");
}
?>
0
 
LVL 16

Author Comment

by:hankknight
ID: 11871367
Thanks.

I was really hoping that there would be an apache module-- I am sure that more people than just me would use it.

I like your creative approach, neester.  Wouldn't it be easier/simpler to just put the following in .htaccess?

----------------------------------------------------
                ForceType application/x-httpd-php
                php_value auto_append_file "/home/webadmin/domain.com/html/authenticate.php"
----------------------------------------------------

  where authenticate.php is
----------------------------------------------------
<php if ( put cookie check here ) exit; else {header("Location: http://$_SERVER["HTTP_HOST"]/nopermission.html");exit; }
----------------------------------------------------

What do you think?
0
 
LVL 16

Author Comment

by:hankknight
ID: 11871399
I typed my comment before reading arantius comment.

Looks like we have the same idea.
0
 
LVL 18

Expert Comment

by:arantius
ID: 11871403
I think that would work great hank.  That's what I posted 2 minutes ago =)
0
 
LVL 16

Author Comment

by:hankknight
ID: 11871587
Yea, like I said, it took me 10 mins to write, & when I posted it I saw your comment above mine.

This will process even images as PHP scripts.  What kind of server load and time added to return an image would this add?
0
 
LVL 16

Author Comment

by:hankknight
ID: 11871668
By the way, in my example, I used auto_append_file.  auto_prepend_file, as arantius suggested works much better, as it is processed before, not after the image is called.
0
 
LVL 11

Expert Comment

by:neester
ID: 11872713
Hey HankKnight,

Yeah that woudl work too.
I was just thinking in terms of a prev. system I built.
I had custom input variables for each file etc...

You can use my method if you like - it is just a creative suggestion :)

glad you understand what the code does though :)
cheers mate

sorry bed time  :P 3am here
0

Featured Post

Major Incident Management Communications

Major incidents and IT service outages cost companies millions. Often the solution to minimizing damage is automated communication. Find out more in our Major Incident Management Communications infographic.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Boost your ability to deliver ambitious and competitive web apps by choosing the right JavaScript framework to best suit your project’s needs.
Australian government abolished Visa 457 earlier this April and this article describes how this decision might affect Australian IT scene and IT experts.
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
This video teaches users how to migrate an existing Wordpress website to a new domain.

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question