Deny access to subdirectories in Apache 2.2 (linux)

Hi experts,
I'm trying to find a way to deny access to some subdirectories of the root site unless previously pass the access control.

This is what I have in mind:
E.g.
DocumentRoot is /usr/local/apache2/htdocs/root
In the web root directory I have a login page that is checking users & passwords in a data base. Only if the information returned form the server is ok, the user will be able to get in the next subdirectory call "menu"  (/usr/local/apache2/htdocs/root/menu).
I already create the program for users authentication.
A user accessing from the browser is typing in the url http://webserver/login.html
What I'm trying to deny is the direct access to the subdirectory "menu" http://webserver/menu/menu.html without previously validate the password.
I read that it could be possible setting environments variables in the directories in the httpd.conf file¿?
Please note that I'm NOT trying to implement an access control using .htpasswd

Thank you for yours advices.

Regards,
alcaniAsked:
Who is Participating?
 
ravenplConnect With a Mentor Commented:
> Please note that I'm NOT trying to implement an access control using .htpasswd
Then apache will not help You.

What You have to do, is to verify user with every script within protected directory.
As for downloads, deny direct downloads with .htaccess (sic, htaccess required), and implement them with another script.
0
 
alcaniAuthor Commented:
Do you  have any example? or a link where I can find this information more detailed?
Thank you
0
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

 
alcaniAuthor Commented:
Thank you for yours answers.
I already used htaccess and I known how it works.
Im looking for other thing, maybe is not possible but I will try to explain it in other terms&

In the httpd.conf file, my directory will be like this
<Directory /usr/local/apache2/htdocs/root/menu">
   Options ¿??
   Order deny,allow
   Deny from all      
   Allow from env=PASS_OK
</Directory>

The access to the subdirectory menu would be forbidden, unless the environment variable will be set to ok.
From de login page I'll get information in a hidden field in order to determine if the user-password is correct. If is incorrect, the user will be sent another time to login page. Other wise I would like set the variable PASS_OK for get in the subdirectory "menu".

Is it possible?
0
 
ravenplConnect With a Mentor Commented:
The problem is that someone has to set this env variable first - it could be the cgi/php script - hence it has to be run first - but apache denies the access :(
So instead of env var You could verify if cookie/get/post variable is set - though it's not security (say security by obscurity).
Unfortunately, if the auth isn't apache based, apache cannot verify if user is authenticated or not - and we back in the first line (the egg chicken problem).

What could be implemented (it's idea only).
Your login page sends out a cookie, so client will return it all subsequent requests, the mod_rewrite is capable of running subrequests passing the cookie (it has to be to apache unprotected folder) - the subrequest could then return whether user is authenticated or not.

But I have never implemented such thing. Either You will examine it works by Yourself, or other expert will aid You with this.
0
 
alcaniAuthor Commented:
n
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.