homepage Welcome to WebmasterWorld Guest from 54.167.10.244
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Code, Content, and Presentation / Apache Web Server
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL & phranque

Apache Web Server Forum

    
.htaccess protected directory and IE8.
Fails to work in IE8, OK in Firefox and Chrome.
Nick1954




msg:4576418
 7:05 am on May 22, 2013 (gmt 0)

Hello,

I am using the following .htaccess file to allow access to subsequent areas of my web site only from within the domain itself, ie I want to prevent direct access to the file by typing the file location directly into the browser address bar.

#
# Make sure that this directory can only be accessed by other programs on this domain
#
SetEnvIfNoCase Referer mydomain.co.uk internal
#SetEnvIfNoCase origin mydomain.co.uk internal
#
order Deny,allow
Deny from all
allow from env=internal

Now this works perfectly when using Firefox or Chrome, but does not work with Internet Explorer 8.

The first page which is not in the protected directory loads OK, but an embeded mp3, the source of which is in a protected directory does not play - it is coded as follows

<embed src="ProtectedDir/sounds/Welcome.mp3" autostart="true" width="1" height="1" hidden="false"></embed>.

I could move the file into the starting directory, but there is another problem.

When a button to continue is clicked

<input type="button" value="Continue" onClick="top.location='ProtectedDir/ProtectedFile.php'" />

to move to the next page in a protected directory, I get the following message.

Forbidden
You don't have permission to access /MyDir/ProtectedDir/ProtectedFile.php on this server.
Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

This of course is the message you will get if you type the address directly into the browser address bar, which is what does happen.

As I mentioned, everything works OK in Firefox and Chrome - they both stop direct access but allow access using the Continue button, but IE8 fails to work.

I can only assume that there is some setting within IE8 that is preventing this working. Can anyone offer any advice on this and suggest a cure ?

Thanks in advance,

Nick.

 

lucy24




msg:4576419
 7:25 am on May 22, 2013 (gmt 0)

There is no server-side solution to the problem of a missing referer. The server can only work with the information the User Agent sends it.

In any case, you can't rely on referer alone for security; it's vulnerable in both directions. One problem is the one you have already met. A browser may not send a referer, for any number of reasons. Could be browser default, user's privacy settings, even proxy or host decisions that are out of the user's power to change. Conversely, it is the easiest thing in the world to send a fake referer. Even the most dim-witted Ukrainian robot knows how to do it.

For most purposes, cookies are the way to deal with access-control issues. If it's something more serious, you are in htpasswd territory.

You also need to fine-tune your rule. It's extremely unlikely that you would want exactly the same restrictions on page requests and on non-page requests. If you absolutely must use mod_setenvif-- which I have to say would not be my choice here-- at least separate page from non-page. This is most easily done by looking at Request_URI with closing anchor.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / Apache Web Server
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved