htaccess and php sessions

Forum Moderators: phranque

Message Too Old, No Replies

htaccess and php sessions

mod_rewrite depending on session variables

webdesigner007

11:55 am on May 2, 2005 (gmt 0)

Hi all,
I wish to block direct URL access to my files, but this is difficult due to referrer problems, etc.
Is it possible for a .htaccess file to check if a session is available and to only allow access to users with a valid session? How would this code look?

Thanks, Robbi

jd01

8:49 am on May 4, 2005 (gmt 0)

Hi Robbi,

Sorry for the delay in responding... Normally, we try to help with existing code, so sometimes general questions get missed.

I am not sure what you mean by referer problems?

You might be able to accomplish what you are trying to do by checking to see if there is a query string (stuff after the ?), but how this would look would depend on what you would want to happen if there was not a query string...

Maybe you can elaborate and be specific, then someone can help point you in a more definite direction than I can right now.

Hope this helps.

Justin

webdesigner007

9:20 am on May 4, 2005 (gmt 0)

Hi Justin,

OK, I can see my question may be slightly ambiguous.
Basically I have built an application for file storage. Users who login to the application are able to access the files stored. This is via a simple href link directly to the file.
However, smart users can easily work out where the files are stored because this shows up in the source code and in the status bar. It is just a matter of adding the partial link to the domain.

I wish to create an .htaccess control which only allows users with a certain session variable to be able to access the directory, all others are denied. However I don't know if .htaccess recognises PHP session variables and therefore whether it can filter them.

My first idea was to check if the referrer was the application itself and allow access only to this referrer, but this will not work because sometimes the referrer is blank or disguised due to firewalls, proxies, etc.

Thanks,

Robbi

jd01

9:49 am on May 4, 2005 (gmt 0)

Hi Robbie,

I believe you would be more successful with php itself. The only way I can see mod_rewrite being effective is if the session variable will always be the same for a certain condition. EG If the user decides to view a certain file(s) they always get the same session id... In this case, you could use mod_rewrite.

You *might* look into the use of cookies, or passing the variable as a time format, then comparing the time the variable contains to the system time, and if it is out of range, denying accesss...

Hope this gives you some ideas.

Maybe I'm missing something, but from what I understand I do not see mod_rewrite being the most efficient way to solve your problem.

Justin

webdesigner007

10:40 am on May 4, 2005 (gmt 0)

Hi Justin,

Thanks for the prompt replies.
I think you are correct that PHP may offer better alternatives.

I am going round in circles with mod_rewrites and I guess it is better to build a function for the server to handle downloads rather than linking to them directly.

Robbi