Solved

Using Mod_Rewrite to detect cookies

Posted on 2004-08-23
9
3,621 Views
Last Modified: 2012-05-05
Hello.

I use cookies to allow access to authenticates users to my CMS administration.  

Currently, the images and .htm documents in the /admin folder are not protected.

I considered putting the following in my .htaccess file to accomplish this:

          --------------------------------
          ForceType application/x-httpd-php
          php_value auto_append_file "authenticate.php"
          --------------------------------

But now I am thinking that it might be better to use mod_rewrite.

          --------------------------
          RewriteEngine on
          RewriteCond %{HTTP_cookie} ??????? I don't know what to put here ???????
          RewriteRule /* http://%{HTTP_HOST}/Not_Logged_In.html [R,L]
          --------------------------

I want to limit access to ALL files in a directory and only alow those with the right cookie to access them.

I feel like I am close but not close enought to a solution.

I am using Linux/Apache/mySQL/PHP etc.

Thanks!
0
Comment
Question by:hankknight
  • 5
  • 4
9 Comments
 
LVL 36

Expert Comment

by:Zyloch
ID: 11872946
Hi

I'm not too familiar with this, but you can try this:

RewriteCond %{HTTP_COOKIE} .*cookiename.*

However, this should only test if the cookie exists, not what the value is.

Regards,
Zyloch
0
 
LVL 16

Author Comment

by:hankknight
ID: 11873187
This seems to work, as long as the cookie name is
              PHPSESSID=3b37b77a01b703b2dad24bed8875e596

      ------------------------------------
      RewriteEngine on
      RewriteCond %{HTTP_cookie} !^PHPSESSID=3b37b77a01b703b2dad24bed8875e596
      RewriteRule /* /Not_Logged_In.html [R,L]
      ------------------------------------

The problem is that the cookie name changes every session (as it should for security reasons) .

Is there a way that I can grab the name from a file or database or some other place where it could be dynamic?

I have thought about having a PHP script create the .htaccess file dynamically each time a person logged in but I would preffer not to have to do this-- It could leave a security gap in the event that the PHP script failed, or while it was in the process of writing the file.
0
 
LVL 36

Expert Comment

by:Zyloch
ID: 11876631
I'm at a library computer now that has very limited access to stuff, so I'll need to be checking back and forth between references and I can only open one browser, so I'll probably be doing this in a few posts.

I'm not familiar with a way to access databases with mod_rewrite. I do know that if you can write all your sessions to a text file on your server that is forbidden to be viewed (using .htaccess of course), you can use RewriteMap. From what I've read, it seems RewriteMap needs to be specified in your Apache httpd.conf file (in the second or third virtual section is what it said), following this format:

RewriteEngine on
RewriteMap sessionsTab txt:/somedirectory/sessions.txt

where I'm using sessionsTab as the name for the map, and I'm assuming you've stored all your session cookies in sessions.txt

0
 
LVL 36

Expert Comment

by:Zyloch
ID: 11876781
Ok, now I'm confusing myself. I can't quite get it to do exactly what I want, so I'm not sure if this will work.

You could, of course, use this:

RewriteCond %{HTTP_COOKIE} !^PHPSESSID=[A-Za-z0-9]{32} [NC]

(or you can take the [NC] out, which means PHPSESSID must be all caps)

This only makes it more rigid. I'm going to spend a few hours thinking about this...
0
DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

 
LVL 36

Expert Comment

by:Zyloch
ID: 11876800
By the way, if the above doesn't work, try this:

RewriteCond %{HTTP_COOKIE} !^PHPSESSID=(?:[A-Za-z0-9]{32}) or if that doesn't work, do this:
RewriteCond %{HTTP_COOKIE} !^PHPSESSID=([A-Za-z0-9]{32})

Man, I'm really rattled right now. Gotta spend this night thinking about this.
0
 
LVL 16

Author Comment

by:hankknight
ID: 11876912
Thanks!  

You are on to something...  I think RewriteMap is exactly what I need. And maybe used with RewriteLock?

I looked at the documentation and got royally confuesed . . .

http://httpd.apache.org/docs-2.0/mod/mod_rewrite.html#rewritemap



The problem with

              RewriteCond %{HTTP_COOKIE} !^PHPSESSID=([A-Za-z0-9]{32})

is that it does not connect with sessions.txt.

I want to keep track of valid sessions with sessions.txt

So that if sessions.txt contains "PHPSESSID=3b37b77a01b703b2dad24bed8875e596" then the condition will only be met if the cookie does not contain "PHPSESSID=3b37b77a01b703b2dad24bed8875e596"

The contents of sessions.txt will be controlled by my login script.
0
 
LVL 16

Author Comment

by:hankknight
ID: 11876944
This really is a practical concept . . .

Once we get it figured out, I think I will use it for all of my directory protection needs.

I like the ability to protect EVERYTHING in a directory, but I don't like URLs that look like this:
         my_username:my_password@mysite.com
0
 
LVL 36

Accepted Solution

by:
Zyloch earned 500 total points
ID: 11877927
Finally back. Let me check.

I thought about it for a bit. I'm thinking this should work. Consider doing this:

Everytime the user logs in, you create a new session cookie, probably storing all of this in mysql. To do this, you should also store the user's IP address in the database. Now, everytime you create a new session cookie, open up the file, let's call it, userIP.txt. Add a line at the end that is this:

Remote User's IP Address + " true\n"

Now, everytime the user logs out or the session ends, you should check the database before clearing the session, and grab the user's IP. Then, use regular expressions to delete the line with that user's IP.

Finally, then you can have this: (I'm hoping RewriteLock isn't needed since it seems to be for a program mapping only)

RewriteEngine on
RewriteMap sessionsTab txt:/somedirectory/userIP.txt

Then, in your .htaccess have this:

RewriteEngine on
RewriteCond !${sessionsTab:%{REMOTE_ADDR}} =true
RewriteRule /* /Not_Logged_In.html [R,L]



Try and see if this works.
0
 
LVL 16

Author Comment

by:hankknight
ID: 11880033
Thanks!  Looks like just what I need.

I am getting the error: "RewriteMap not allowed here" and have a feeling that it is related to my htpd.conf settings or something.  I have posted a question here:

http://www.experts-exchange.com/Web/Web_Servers/Apache/Q_21105006.html

and will try out your solution once I get the error figured out.
0

Featured Post

3 Use Cases for Connected Systems

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, testing some more, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
Although it can be difficult to imagine, someday your child will have a career of his or her own. He or she will likely start a family, buy a home and start having their own children. So, while being a kid is still extremely important, it’s also …
Viewers will get an overview of the benefits and risks of using Bitcoin to accept payments. What Bitcoin is: Legality: Risks: Benefits: Which businesses are best suited?: Other things you should know: How to get started:
Video by: Mark
This lesson goes over how to construct ordered and unordered lists and how to create hyperlinks.

896 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now