Solved

Using Mod_Rewrite to detect cookies

Posted on 2004-08-23
9
3,606 Views
Last Modified: 2012-05-05
Hello.

I use cookies to allow access to authenticates users to my CMS administration.  

Currently, the images and .htm documents in the /admin folder are not protected.

I considered putting the following in my .htaccess file to accomplish this:

          --------------------------------
          ForceType application/x-httpd-php
          php_value auto_append_file "authenticate.php"
          --------------------------------

But now I am thinking that it might be better to use mod_rewrite.

          --------------------------
          RewriteEngine on
          RewriteCond %{HTTP_cookie} ??????? I don't know what to put here ???????
          RewriteRule /* http://%{HTTP_HOST}/Not_Logged_In.html [R,L]
          --------------------------

I want to limit access to ALL files in a directory and only alow those with the right cookie to access them.

I feel like I am close but not close enought to a solution.

I am using Linux/Apache/mySQL/PHP etc.

Thanks!
0
Comment
Question by:hankknight
  • 5
  • 4
9 Comments
 
LVL 36

Expert Comment

by:Zyloch
Comment Utility
Hi

I'm not too familiar with this, but you can try this:

RewriteCond %{HTTP_COOKIE} .*cookiename.*

However, this should only test if the cookie exists, not what the value is.

Regards,
Zyloch
0
 
LVL 16

Author Comment

by:hankknight
Comment Utility
This seems to work, as long as the cookie name is
              PHPSESSID=3b37b77a01b703b2dad24bed8875e596

      ------------------------------------
      RewriteEngine on
      RewriteCond %{HTTP_cookie} !^PHPSESSID=3b37b77a01b703b2dad24bed8875e596
      RewriteRule /* /Not_Logged_In.html [R,L]
      ------------------------------------

The problem is that the cookie name changes every session (as it should for security reasons) .

Is there a way that I can grab the name from a file or database or some other place where it could be dynamic?

I have thought about having a PHP script create the .htaccess file dynamically each time a person logged in but I would preffer not to have to do this-- It could leave a security gap in the event that the PHP script failed, or while it was in the process of writing the file.
0
 
LVL 36

Expert Comment

by:Zyloch
Comment Utility
I'm at a library computer now that has very limited access to stuff, so I'll need to be checking back and forth between references and I can only open one browser, so I'll probably be doing this in a few posts.

I'm not familiar with a way to access databases with mod_rewrite. I do know that if you can write all your sessions to a text file on your server that is forbidden to be viewed (using .htaccess of course), you can use RewriteMap. From what I've read, it seems RewriteMap needs to be specified in your Apache httpd.conf file (in the second or third virtual section is what it said), following this format:

RewriteEngine on
RewriteMap sessionsTab txt:/somedirectory/sessions.txt

where I'm using sessionsTab as the name for the map, and I'm assuming you've stored all your session cookies in sessions.txt

0
 
LVL 36

Expert Comment

by:Zyloch
Comment Utility
Ok, now I'm confusing myself. I can't quite get it to do exactly what I want, so I'm not sure if this will work.

You could, of course, use this:

RewriteCond %{HTTP_COOKIE} !^PHPSESSID=[A-Za-z0-9]{32} [NC]

(or you can take the [NC] out, which means PHPSESSID must be all caps)

This only makes it more rigid. I'm going to spend a few hours thinking about this...
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 36

Expert Comment

by:Zyloch
Comment Utility
By the way, if the above doesn't work, try this:

RewriteCond %{HTTP_COOKIE} !^PHPSESSID=(?:[A-Za-z0-9]{32}) or if that doesn't work, do this:
RewriteCond %{HTTP_COOKIE} !^PHPSESSID=([A-Za-z0-9]{32})

Man, I'm really rattled right now. Gotta spend this night thinking about this.
0
 
LVL 16

Author Comment

by:hankknight
Comment Utility
Thanks!  

You are on to something...  I think RewriteMap is exactly what I need. And maybe used with RewriteLock?

I looked at the documentation and got royally confuesed . . .

http://httpd.apache.org/docs-2.0/mod/mod_rewrite.html#rewritemap



The problem with

              RewriteCond %{HTTP_COOKIE} !^PHPSESSID=([A-Za-z0-9]{32})

is that it does not connect with sessions.txt.

I want to keep track of valid sessions with sessions.txt

So that if sessions.txt contains "PHPSESSID=3b37b77a01b703b2dad24bed8875e596" then the condition will only be met if the cookie does not contain "PHPSESSID=3b37b77a01b703b2dad24bed8875e596"

The contents of sessions.txt will be controlled by my login script.
0
 
LVL 16

Author Comment

by:hankknight
Comment Utility
This really is a practical concept . . .

Once we get it figured out, I think I will use it for all of my directory protection needs.

I like the ability to protect EVERYTHING in a directory, but I don't like URLs that look like this:
         my_username:my_password@mysite.com
0
 
LVL 36

Accepted Solution

by:
Zyloch earned 500 total points
Comment Utility
Finally back. Let me check.

I thought about it for a bit. I'm thinking this should work. Consider doing this:

Everytime the user logs in, you create a new session cookie, probably storing all of this in mysql. To do this, you should also store the user's IP address in the database. Now, everytime you create a new session cookie, open up the file, let's call it, userIP.txt. Add a line at the end that is this:

Remote User's IP Address + " true\n"

Now, everytime the user logs out or the session ends, you should check the database before clearing the session, and grab the user's IP. Then, use regular expressions to delete the line with that user's IP.

Finally, then you can have this: (I'm hoping RewriteLock isn't needed since it seems to be for a program mapping only)

RewriteEngine on
RewriteMap sessionsTab txt:/somedirectory/userIP.txt

Then, in your .htaccess have this:

RewriteEngine on
RewriteCond !${sessionsTab:%{REMOTE_ADDR}} =true
RewriteRule /* /Not_Logged_In.html [R,L]



Try and see if this works.
0
 
LVL 16

Author Comment

by:hankknight
Comment Utility
Thanks!  Looks like just what I need.

I am getting the error: "RewriteMap not allowed here" and have a feeling that it is related to my htpd.conf settings or something.  I have posted a question here:

http://www.experts-exchange.com/Web/Web_Servers/Apache/Q_21105006.html

and will try out your solution once I get the error figured out.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Read about how to approach blogging and about ways to do it right. Stand out from the crowd and let your knowledge be consumed by a large audience. This article aims to explain how your blog should look like,  the most important things to do while b…
Boost your ability to deliver ambitious and competitive web apps by choosing the right JavaScript framework to best suit your project’s needs.
Viewers will get an overview of the benefits and risks of using Bitcoin to accept payments. What Bitcoin is: Legality: Risks: Benefits: Which businesses are best suited?: Other things you should know: How to get started:
This video teaches users how to migrate an existing Wordpress website to a new domain.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now