?
Solved

Can I protect images and .htm documents with cookies?

Posted on 2004-08-23
13
Medium Priority
?
338 Views
Last Modified: 2012-06-22
Hello.

I use cookies to allow access to authenticates users to my CMS administration.  

Although the PHP scripts themselves are protected, the images and .htm documents in the /admin folder are not.

How can I limit access to ALL files in a directory and only alow those with the right cookie to access them?

I know this can be done without cookies using .htaccess but I don't want the URL to look like username:password@mysite.com/admin

I am using Linux/Apache/mySQL/PHP etc.

Thanks!
0
Comment
Question by:hankknight
  • 4
  • 4
  • 2
  • +2
13 Comments
 
LVL 48

Expert Comment

by:hernst42
ID: 11869904
for this you need a apache module which checks the cookie against the database for validity and then grants the user access or denys the access. I don't know of such a apache-module which could do this in an easy way. Maybe you even have to program it by your own. Checking only for the precence of the cookie or a valid structure of the cookie is not enough as those settings can easy be generated by someone who wnats to access the directory.
0
 
LVL 34

Expert Comment

by:shalomc
ID: 11870590
hankknight,
The best way to protect the admin folder is to use basic authentication - the very .htaccess that you want to avoid using.
If you create links like http://mysite.com/admin , the person will be prompted with a user and password challenge and there is nothing wrong with that.
I suppose that you planned to create a role called admin in your CMS, and to provide access to the admin area to whoever exists in the admin group. If that is your plan, you will have to develop your own apache module to match the authenticated session cookie with the admin group.
Another option, if you have the budget for it, is to implement a web access management package, like Tivoli Access Manager, and develop the module as a plugin to that system.

Cheers,
ShalomC
0
 
LVL 11

Expert Comment

by:neester
ID: 11870840
There is another way!

Its very fast and very clever....

Give me 10 minutes :)
0
Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

 
LVL 11

Assisted Solution

by:neester
neester earned 500 total points
ID: 11870963
Hey HanKJKnight,

YOU can use .HTACCESS in otherways to do what you want...

HERE IS A SOULUTION - this will work for all images & HTML documents in the ADMIN FOLDER:

setup the .htaccess file in teh directory you want to protect.

now add this code: (between the dashed lines)
---------------------------
ReWriteEngine On
ReWriteRule ^([a-zA-Z0-9]+).jpg$ loadimage.php?path=$1&type=jpg
ReWriteRule ^([a-zA-Z0-9]+).gif$ loadimage.php?path=$1&type=gif
ReWriteRule ^([a-zA-Z0-9]+).bmp$ loadimage.php?path=$1&type=bmp
ReWriteRule ^([a-zA-Z0-9]+).htm$ loadimage.php?path=$1&type=htm
ReWriteRule ^([a-zA-Z0-9]+).html$ loadimage.php?path=$1&type=html
---------------------------
I could combine those into one line, but i cant test the REGEX at the moment so this will do for now...


THEN create a page called "loadimage.php"
in that put this code:
----------------------------
<?
      $IMAGEPATH = $_GET['path'] . '.' . $_GET['type'];
      
      $LOGGEDIN = true;
      
      if ($LOGGEDIN == true)
      {
            
            $ABSPATH = '/home/neester/public_html/eac/';
            $FILE = file_get_contents($ABSPATH.$IMAGEPATH);
            if ($FILE)
            {
                  // FILE EXISTS
                  
                  switch($_GET['type'])
                  {
                        case 'jpg': header("Content-type: image/jpg\n"); break;
                        case 'gif': header("Content-type: image/gif\n"); break;
                        case 'bmp': header("Content-type: image/bmp\n"); break;
                        case 'htm':
                        case 'html': header("Content-type: text/html\n"); break;
                  
                  }
                  
                  print($FILE);
            
            }else{
                  // NO FILE!
                  echo("ERROR: $ABSPATH.$IMAGEPATH");
            }
            
      }else{
            // NO PERMISSION
            header("Location: http://yoursite.com/nopermission.html");
      }
?>
--------------------------------


0
 
LVL 11

Expert Comment

by:neester
ID: 11870994
OK Let me explain how that works!

BTW - I Accidentlly left my absolute path in there for my Box - so change that to the ABSPATH on your server.


THE WAY IT WORKS!


The HTACCESS intercepts the REQUEST for the JPG/GIV/BMP/HTML/HTM file...

it then redirects them to the PHP file (all behind the scences, its all on the server, their PC wont notice a THING!)
The PHP file then determines if they are logged in - by checking the cookies etc... you need to modify that file to your liking...

THEN...

If they are loggedin.
It will LOAD THE FILE up in the PHP and then OUTPUT the Binary data to the user!
SIMPLE!

IF they aren't logged in, it will just send them to another image...
you can make the image something like TRIPODS method - saying: IMAGE HOSTED BY TRIPOD etc...
If the file doesnt exist, same thing :)

You can modify that code however you like.


I HAVE a demo setup if you want to have a look - or if you cant get it working.
just let me know!


CHEERS!
- neester
0
 
LVL 34

Expert Comment

by:shalomc
ID: 11871057
That's clever.
You still have to develop some custom code to verify the authenticated session's permissions to the folder, instead of the
$LOGGEDIN = true;
 line

but it will be easier than coding an apache module.


ShalomC
0
 
LVL 18

Accepted Solution

by:
arantius earned 1500 total points
ID: 11871336
.htaccess in admin:

php_value auto_prepend_file check_cookie.php
AddType application/x-httpd-php .php .htm .gif .jpg

(whatever extensions you need here)

check_cookie.php:

<?
//logic here to check for the cookie
if (!$cookieIsOK) {
  print "Access denied";
  die;
  //or possibly: header("Location: /notallowed.htm");
}
?>
0
 
LVL 16

Author Comment

by:hankknight
ID: 11871367
Thanks.

I was really hoping that there would be an apache module-- I am sure that more people than just me would use it.

I like your creative approach, neester.  Wouldn't it be easier/simpler to just put the following in .htaccess?

----------------------------------------------------
                ForceType application/x-httpd-php
                php_value auto_append_file "/home/webadmin/domain.com/html/authenticate.php"
----------------------------------------------------

  where authenticate.php is
----------------------------------------------------
<php if ( put cookie check here ) exit; else {header("Location: http://$_SERVER["HTTP_HOST"]/nopermission.html");exit; }
----------------------------------------------------

What do you think?
0
 
LVL 16

Author Comment

by:hankknight
ID: 11871399
I typed my comment before reading arantius comment.

Looks like we have the same idea.
0
 
LVL 18

Expert Comment

by:arantius
ID: 11871403
I think that would work great hank.  That's what I posted 2 minutes ago =)
0
 
LVL 16

Author Comment

by:hankknight
ID: 11871587
Yea, like I said, it took me 10 mins to write, & when I posted it I saw your comment above mine.

This will process even images as PHP scripts.  What kind of server load and time added to return an image would this add?
0
 
LVL 16

Author Comment

by:hankknight
ID: 11871668
By the way, in my example, I used auto_append_file.  auto_prepend_file, as arantius suggested works much better, as it is processed before, not after the image is called.
0
 
LVL 11

Expert Comment

by:neester
ID: 11872713
Hey HankKnight,

Yeah that woudl work too.
I was just thinking in terms of a prev. system I built.
I had custom input variables for each file etc...

You can use my method if you like - it is just a creative suggestion :)

glad you understand what the code does though :)
cheers mate

sorry bed time  :P 3am here
0

Featured Post

Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

The first step to building an amazing About page is to figure out what you want the page to say about your company. You then must grab the attention of the reader, boast a bit, tell a story and let others brag about you. With a little bit of thought…
I recently worked on a Wordpress site that utilized the popular ContactForm7 (https://contactform7.com/) plug-in that only sends an email and does not save data. The client wanted the data saved to a custom CRM database. This is my solution.
This tutorial walks through the best practices in adding a local business to Google Maps including how to properly search for duplicates, marker placement, and inputing business details. Login to your Google Account, then search for "Google Mapmaker…
The is a quite short video tutorial. In this video, I'm going to show you how to create self-host WordPress blog with free hosting service.

568 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question