Authentication with Query String and Rewrite / Allow, Deny

Forum Moderators: phranque

Message Too Old, No Replies

Authentication with Query String and Rewrite / Allow, Deny

softconcepts

12:43 pm on Dec 10, 2010 (gmt 0)

Hi folks,

my purpose is to secure a directory. For some reason ("Authentication" should be happen automatically and the user should not notice it) I can't use HTTP AUTH, so that's why I follow this way:

For instance, a image which is in this directory has to be called like this (from the same or another domain):

<img src="http://example.com/subdir/image.jpg?auth_string" />

Only calls with this "auth_string" are authorized to get files out of this directory. So my .htaccess looks like this:


# is the query_string equal auth_string. If so, set envirnment variable "authenticated" to 1
RewriteEngine On
RewriteCond %{QUERY_STRING} ^auth_string$
RewriteRule ^ - [L,E=authenticated_host:%{HTTP_REFERER}]

# allow only the host which is authorized through RewriteRule above
Order Allow,Deny
Allow from env=authenticated_host

Do you have any idea why it doesn't work. Or maybe a better approach.

Thanks in advance,
Patrick

softconcepts

3:08 pm on Dec 10, 2010 (gmt 0)

I found a solution:

RewriteEngine On
RewriteCond %{QUERY_STRING} !^auth_string$
RewriteRule ^ - [F]

Pretty easy... :-)

jdMorgan

1:11 am on Dec 14, 2010 (gmt 0)

So, anyone who hovers over the link and notices the "auth_string" can simply type in that URL and GET your files... That's not very secure, and no method that exposes the "authorization" in a query string can be secure.

For same-domain requests, look into using a cookie instead. Cookies won't work cross-domain, though.

Jim