direct link or no access (.htaccess?)

Forum Moderators: phranque

Message Too Old, No Replies

direct link or no access (.htaccess?)

limit access to sub directory via .htaccess

XiRoCCo

3:53 am on Dec 8, 2006 (gmt 0)

I have a sub directory under the public root of my site:

root ---> www.MySite.abc
sub dir > www.MySite.abc/SubDirectory

My main site requires a login before the page data will appear (private site). Once logged in, I wish to have a link on my main root web site which links to the pages in the sub directory. But - I do not want anyone to be able to open a browser directly to the sub directory. They 'must' click the link on the root site, or at least enter from within the root folder (somehow?).

Is there a way with .htaccess to prevent direct entry into the sub directory, or at least somehow limit entry to those who have passed through the root?

Thanks (hope that makes sense) :)

MichaelBluejay

8:24 am on Dec 8, 2006 (gmt 0)

Yes and no. Browsers usually tell your server what page they came from when going to a new page, but not always. Often that information is blank. You could block requests for the subdirectory which have an empty referrer, but you won't know whether it's blank because the visitor is trying to access it directly, or because the browser just didn't pass along the referrer info.

Another option is to set a cookie in a visitor's browser when they go to a root page, then if someone arrives at a subdir page without a cookie, you know they haven't been to the root level yet, and you can redirect them there. Does this sound like what you're looking for?

XiRoCCo

6:00 pm on Dec 8, 2006 (gmt 0)

Yes - it does sound "just" like what I need. Unfortunately, I am using a Content Management System and do not know how to initiate a cookie at the root - or how to check for it at the sub directory.

MichaelBluejay

3:01 am on Dec 9, 2006 (gmt 0)

If you're able to add code to your pages, then you can add a few lines of Javascript to set/check the cookie. Do a search and you'll find tons of pages explaining how to do so. There are two problems with this: If anyone has Javascript turned off, they'll bypass your security system. Also, sometimes it could take a second for Javascript to check the cookie and then deliver an Access Denied page page, and before that happens then unapproved users could see the forbidden content. But this is the easiest/cheapest solution if it's good enough.

The proper solution would be to edit your CMS software, which would work even if Javascript were turned off, and would work before unapproved users ever saw any restricted content. You'll probably have to hire a programmer to do this, unless you want to spend some time learning the language your CMS is written in. I assume it's written in something like PHP, Perl, or ASP.net? I imagine it would be easy to find someone to do this for $50 or less. (Not me though, I have enough work.)

XiRoCCo

7:33 pm on Dec 9, 2006 (gmt 0)

Michael - thanks for such a thorough reply to my issue :) ... actually i have access to a whole group of programmers as i run the forums for the CMS software (phpWebSite - phpwsforums.com). I'll post this same issue there to see what they can come up with.

Thanks again,
--Kevin