.htaccess question ?

Forum Moderators: bakedjake

Message Too Old, No Replies

.htaccess question ?

Can I do this ? And how?

kidd

3:09 pm on Jul 21, 2002 (gmt 0)

Im wondering if someone could help me out with this.

On my site I have three protected directories each one for a different kind of suscription(3, 6 and 12 months). And I want to create a new forum that can be accesed by any member.

The problem is that the forum is in another folder and I have no idea of how to let members access it from their current directory with the same password and without asking them to enter it again.

Maybe I can solve this with an http-referrer or with a redirection...

Thanks in adavnced for your help...

toadhall

6:43 am on Jul 22, 2002 (gmt 0)

Hi kidd,

Welcome to the board.

I shy away from http-referrer as it can be "shut off" in some browsers and security suites, and I think reusing the password from .htaccess is too convoluted, if possible at all.

Perhaps you could link from each protected directory via a form, sending a "hidden" name/value pair to test for in a conditional statement (if name equals value) on the index page of the forum folder.

Using the post method in the form will keep the name/value pair from appearing in the url.

A unique name/value pair for each protected directory could be used to track access to the forum.

kidd

1:21 pm on Jul 22, 2002 (gmt 0)

Hi...

That is a great idea and it never ocurred to me to go that way. And I tried it out this morning and it works like a CHARM...

Thank you very much for your answer...

best of luck
uriel

bird

4:25 pm on Jul 22, 2002 (gmt 0)

If you don't have very high security requirements (eg. you just want to keep out casual surfers), then the proposed solution is probably the simplest. However, anyone who gets hold of one of those name/value pairs will be able to access your forum as well, at any time. While they won't be visible in the URL, they can be grabbed from a cached copy of the previous page very easily.

Unfortunately, I can't think of a .htaccess based solution either. If you want to improve on security, then another way would be using cookies, which is probably most elegant and secure. In either case you might want to include more information in your tokens, such as a timestamp that makes them expire after a while, or other user specific data.

toadhall

1:42 am on Jul 23, 2002 (gmt 0)

> can be grabbed from a cached copy of the previous page very easily.

Granted, it's a low security solution.

This no-cache header will take care of most cache problems:

header ("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
header ("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
header ("Cache-Control: no-store, no-cache, must-revalidate");
header ("Cache-Control: post-check=0, pre-check=0", false);
header ("Pragma: no-cache");

...must be at the top of the page. This is for use in php, but can be modified for perl or asp. The "guts" are the same; the function may be different.

kidd

1:19 pm on Jul 23, 2002 (gmt 0)

I was thinkin also of sticking a couple of cookies in my forum and I think its a good idea the headers for keeping the page from being stored in the cache...

Ill be adding them this afternoon...

Thanks very much all for your replies...

best of luck to you....