• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 337
  • Last Modified:

Can I protect images and .htm documents with cookies?

Hello.

I use cookies to allow access to authenticates users to my CMS administration.  

Although the PHP scripts themselves are protected, the images and .htm documents in the /admin folder are not.

How can I limit access to ALL files in a directory and only alow those with the right cookie to access them?

I know this can be done without cookies using .htaccess but I don't want the URL to look like username:password@mysite.com/admin

I am using Linux/Apache/mySQL/PHP etc.

Thanks!
0
hankknight
Asked:
hankknight
  • 4
  • 4
  • 2
  • +2
2 Solutions
 
hernst42Commented:
for this you need a apache module which checks the cookie against the database for validity and then grants the user access or denys the access. I don't know of such a apache-module which could do this in an easy way. Maybe you even have to program it by your own. Checking only for the precence of the cookie or a valid structure of the cookie is not enough as those settings can easy be generated by someone who wnats to access the directory.
0
 
shalomcCTOCommented:
hankknight,
The best way to protect the admin folder is to use basic authentication - the very .htaccess that you want to avoid using.
If you create links like http://mysite.com/admin , the person will be prompted with a user and password challenge and there is nothing wrong with that.
I suppose that you planned to create a role called admin in your CMS, and to provide access to the admin area to whoever exists in the admin group. If that is your plan, you will have to develop your own apache module to match the authenticated session cookie with the admin group.
Another option, if you have the budget for it, is to implement a web access management package, like Tivoli Access Manager, and develop the module as a plugin to that system.

Cheers,
ShalomC
0
 
neesterCommented:
There is another way!

Its very fast and very clever....

Give me 10 minutes :)
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
neesterCommented:
Hey HanKJKnight,

YOU can use .HTACCESS in otherways to do what you want...

HERE IS A SOULUTION - this will work for all images & HTML documents in the ADMIN FOLDER:

setup the .htaccess file in teh directory you want to protect.

now add this code: (between the dashed lines)
---------------------------
ReWriteEngine On
ReWriteRule ^([a-zA-Z0-9]+).jpg$ loadimage.php?path=$1&type=jpg
ReWriteRule ^([a-zA-Z0-9]+).gif$ loadimage.php?path=$1&type=gif
ReWriteRule ^([a-zA-Z0-9]+).bmp$ loadimage.php?path=$1&type=bmp
ReWriteRule ^([a-zA-Z0-9]+).htm$ loadimage.php?path=$1&type=htm
ReWriteRule ^([a-zA-Z0-9]+).html$ loadimage.php?path=$1&type=html
---------------------------
I could combine those into one line, but i cant test the REGEX at the moment so this will do for now...


THEN create a page called "loadimage.php"
in that put this code:
----------------------------
<?
      $IMAGEPATH = $_GET['path'] . '.' . $_GET['type'];
      
      $LOGGEDIN = true;
      
      if ($LOGGEDIN == true)
      {
            
            $ABSPATH = '/home/neester/public_html/eac/';
            $FILE = file_get_contents($ABSPATH.$IMAGEPATH);
            if ($FILE)
            {
                  // FILE EXISTS
                  
                  switch($_GET['type'])
                  {
                        case 'jpg': header("Content-type: image/jpg\n"); break;
                        case 'gif': header("Content-type: image/gif\n"); break;
                        case 'bmp': header("Content-type: image/bmp\n"); break;
                        case 'htm':
                        case 'html': header("Content-type: text/html\n"); break;
                  
                  }
                  
                  print($FILE);
            
            }else{
                  // NO FILE!
                  echo("ERROR: $ABSPATH.$IMAGEPATH");
            }
            
      }else{
            // NO PERMISSION
            header("Location: http://yoursite.com/nopermission.html");
      }
?>
--------------------------------


0
 
neesterCommented:
OK Let me explain how that works!

BTW - I Accidentlly left my absolute path in there for my Box - so change that to the ABSPATH on your server.


THE WAY IT WORKS!


The HTACCESS intercepts the REQUEST for the JPG/GIV/BMP/HTML/HTM file...

it then redirects them to the PHP file (all behind the scences, its all on the server, their PC wont notice a THING!)
The PHP file then determines if they are logged in - by checking the cookies etc... you need to modify that file to your liking...

THEN...

If they are loggedin.
It will LOAD THE FILE up in the PHP and then OUTPUT the Binary data to the user!
SIMPLE!

IF they aren't logged in, it will just send them to another image...
you can make the image something like TRIPODS method - saying: IMAGE HOSTED BY TRIPOD etc...
If the file doesnt exist, same thing :)

You can modify that code however you like.


I HAVE a demo setup if you want to have a look - or if you cant get it working.
just let me know!


CHEERS!
- neester
0
 
shalomcCTOCommented:
That's clever.
You still have to develop some custom code to verify the authenticated session's permissions to the folder, instead of the
$LOGGEDIN = true;
 line

but it will be easier than coding an apache module.


ShalomC
0
 
arantiusCommented:
.htaccess in admin:

php_value auto_prepend_file check_cookie.php
AddType application/x-httpd-php .php .htm .gif .jpg

(whatever extensions you need here)

check_cookie.php:

<?
//logic here to check for the cookie
if (!$cookieIsOK) {
  print "Access denied";
  die;
  //or possibly: header("Location: /notallowed.htm");
}
?>
0
 
hankknightAuthor Commented:
Thanks.

I was really hoping that there would be an apache module-- I am sure that more people than just me would use it.

I like your creative approach, neester.  Wouldn't it be easier/simpler to just put the following in .htaccess?

----------------------------------------------------
                ForceType application/x-httpd-php
                php_value auto_append_file "/home/webadmin/domain.com/html/authenticate.php"
----------------------------------------------------

  where authenticate.php is
----------------------------------------------------
<php if ( put cookie check here ) exit; else {header("Location: http://$_SERVER["HTTP_HOST"]/nopermission.html");exit; }
----------------------------------------------------

What do you think?
0
 
hankknightAuthor Commented:
I typed my comment before reading arantius comment.

Looks like we have the same idea.
0
 
arantiusCommented:
I think that would work great hank.  That's what I posted 2 minutes ago =)
0
 
hankknightAuthor Commented:
Yea, like I said, it took me 10 mins to write, & when I posted it I saw your comment above mine.

This will process even images as PHP scripts.  What kind of server load and time added to return an image would this add?
0
 
hankknightAuthor Commented:
By the way, in my example, I used auto_append_file.  auto_prepend_file, as arantius suggested works much better, as it is processed before, not after the image is called.
0
 
neesterCommented:
Hey HankKnight,

Yeah that woudl work too.
I was just thinking in terms of a prev. system I built.
I had custom input variables for each file etc...

You can use my method if you like - it is just a creative suggestion :)

glad you understand what the code does though :)
cheers mate

sorry bed time  :P 3am here
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 4
  • 4
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now