Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Using Mod_Rewrite to detect cookies

Posted on 2004-08-23
9
3,641 Views
Last Modified: 2012-05-05
Hello.

I use cookies to allow access to authenticates users to my CMS administration.  

Currently, the images and .htm documents in the /admin folder are not protected.

I considered putting the following in my .htaccess file to accomplish this:

          --------------------------------
          ForceType application/x-httpd-php
          php_value auto_append_file "authenticate.php"
          --------------------------------

But now I am thinking that it might be better to use mod_rewrite.

          --------------------------
          RewriteEngine on
          RewriteCond %{HTTP_cookie} ??????? I don't know what to put here ???????
          RewriteRule /* http://%{HTTP_HOST}/Not_Logged_In.html [R,L]
          --------------------------

I want to limit access to ALL files in a directory and only alow those with the right cookie to access them.

I feel like I am close but not close enought to a solution.

I am using Linux/Apache/mySQL/PHP etc.

Thanks!
0
Comment
Question by:hankknight
  • 5
  • 4
9 Comments
 
LVL 36

Expert Comment

by:Zyloch
ID: 11872946
Hi

I'm not too familiar with this, but you can try this:

RewriteCond %{HTTP_COOKIE} .*cookiename.*

However, this should only test if the cookie exists, not what the value is.

Regards,
Zyloch
0
 
LVL 16

Author Comment

by:hankknight
ID: 11873187
This seems to work, as long as the cookie name is
              PHPSESSID=3b37b77a01b703b2dad24bed8875e596

      ------------------------------------
      RewriteEngine on
      RewriteCond %{HTTP_cookie} !^PHPSESSID=3b37b77a01b703b2dad24bed8875e596
      RewriteRule /* /Not_Logged_In.html [R,L]
      ------------------------------------

The problem is that the cookie name changes every session (as it should for security reasons) .

Is there a way that I can grab the name from a file or database or some other place where it could be dynamic?

I have thought about having a PHP script create the .htaccess file dynamically each time a person logged in but I would preffer not to have to do this-- It could leave a security gap in the event that the PHP script failed, or while it was in the process of writing the file.
0
 
LVL 36

Expert Comment

by:Zyloch
ID: 11876631
I'm at a library computer now that has very limited access to stuff, so I'll need to be checking back and forth between references and I can only open one browser, so I'll probably be doing this in a few posts.

I'm not familiar with a way to access databases with mod_rewrite. I do know that if you can write all your sessions to a text file on your server that is forbidden to be viewed (using .htaccess of course), you can use RewriteMap. From what I've read, it seems RewriteMap needs to be specified in your Apache httpd.conf file (in the second or third virtual section is what it said), following this format:

RewriteEngine on
RewriteMap sessionsTab txt:/somedirectory/sessions.txt

where I'm using sessionsTab as the name for the map, and I'm assuming you've stored all your session cookies in sessions.txt

0
The New “Normal” in Modern Enterprise Operations

DevOps for the modern enterprise offers many benefits — increased agility, productivity, and more, but digital transformation isn’t easy, especially if you’re not addressing the right issues. Register for the webinar to dive into the “new normal” for enterprise modern ops.

 
LVL 36

Expert Comment

by:Zyloch
ID: 11876781
Ok, now I'm confusing myself. I can't quite get it to do exactly what I want, so I'm not sure if this will work.

You could, of course, use this:

RewriteCond %{HTTP_COOKIE} !^PHPSESSID=[A-Za-z0-9]{32} [NC]

(or you can take the [NC] out, which means PHPSESSID must be all caps)

This only makes it more rigid. I'm going to spend a few hours thinking about this...
0
 
LVL 36

Expert Comment

by:Zyloch
ID: 11876800
By the way, if the above doesn't work, try this:

RewriteCond %{HTTP_COOKIE} !^PHPSESSID=(?:[A-Za-z0-9]{32}) or if that doesn't work, do this:
RewriteCond %{HTTP_COOKIE} !^PHPSESSID=([A-Za-z0-9]{32})

Man, I'm really rattled right now. Gotta spend this night thinking about this.
0
 
LVL 16

Author Comment

by:hankknight
ID: 11876912
Thanks!  

You are on to something...  I think RewriteMap is exactly what I need. And maybe used with RewriteLock?

I looked at the documentation and got royally confuesed . . .

http://httpd.apache.org/docs-2.0/mod/mod_rewrite.html#rewritemap



The problem with

              RewriteCond %{HTTP_COOKIE} !^PHPSESSID=([A-Za-z0-9]{32})

is that it does not connect with sessions.txt.

I want to keep track of valid sessions with sessions.txt

So that if sessions.txt contains "PHPSESSID=3b37b77a01b703b2dad24bed8875e596" then the condition will only be met if the cookie does not contain "PHPSESSID=3b37b77a01b703b2dad24bed8875e596"

The contents of sessions.txt will be controlled by my login script.
0
 
LVL 16

Author Comment

by:hankknight
ID: 11876944
This really is a practical concept . . .

Once we get it figured out, I think I will use it for all of my directory protection needs.

I like the ability to protect EVERYTHING in a directory, but I don't like URLs that look like this:
         my_username:my_password@mysite.com
0
 
LVL 36

Accepted Solution

by:
Zyloch earned 500 total points
ID: 11877927
Finally back. Let me check.

I thought about it for a bit. I'm thinking this should work. Consider doing this:

Everytime the user logs in, you create a new session cookie, probably storing all of this in mysql. To do this, you should also store the user's IP address in the database. Now, everytime you create a new session cookie, open up the file, let's call it, userIP.txt. Add a line at the end that is this:

Remote User's IP Address + " true\n"

Now, everytime the user logs out or the session ends, you should check the database before clearing the session, and grab the user's IP. Then, use regular expressions to delete the line with that user's IP.

Finally, then you can have this: (I'm hoping RewriteLock isn't needed since it seems to be for a program mapping only)

RewriteEngine on
RewriteMap sessionsTab txt:/somedirectory/userIP.txt

Then, in your .htaccess have this:

RewriteEngine on
RewriteCond !${sessionsTab:%{REMOTE_ADDR}} =true
RewriteRule /* /Not_Logged_In.html [R,L]



Try and see if this works.
0
 
LVL 16

Author Comment

by:hankknight
ID: 11880033
Thanks!  Looks like just what I need.

I am getting the error: "RewriteMap not allowed here" and have a feeling that it is related to my htpd.conf settings or something.  I have posted a question here:

http://www.experts-exchange.com/Web/Web_Servers/Apache/Q_21105006.html

and will try out your solution once I get the error figured out.
0

Featured Post

Space-Age Communications Transitions to DevOps

ViaSat, a global provider of satellite and wireless communications, securely connects businesses, governments, and organizations to the Internet. Learn how ViaSat’s Network Solutions Engineer, drove the transition from a traditional network support to a DevOps-centric model.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Adwords and keywords 2 56
Domain Service Not Responding 14 30
asp Google Map 2 32
WordPress 8 33
SEO can be a real minefield to navigate, but there are three simple ways to up your SEO game just be re-assessing your content output.
Google always has something new and amazing up its sleeve, and the most current thing that they have been working on is another step in the evolution of Google Search, from machine learning to its brilliant successor, deep learning.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…
Learn how to create flexible layouts using relative units in CSS.  New relative units added in CSS3 include vw(viewports width), vh(viewports height), vmin(minimum of viewports height and width), and vmax (maximum of viewports height and width).

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question