Welcome to WebmasterWorld [webmasterworld.com]!

I'm not sure I understand your question completely, but here's an example:

RewriteCond %{HTTP_REFERER} .
RewriteCond %{HTTP_REFERER} !^http://(www\.)?example\.com/authorized_referring_paqe.html$ [NC]
RewriteRule ^page_requiring_authorized_referer\.html$ - [F]

The first line checks to be sure that HTTP_REFERER is not blank - Which it will be under many circumstances because HTTP_REFERER is not always passed by the client, and is often dropped by intervening caching proxies. If the referrer is blank, the RewriteRule is skipped. HTTP_REFERER is not reliable, so this test is almost always required, despite the fact that it opens a hole in your authorization scheme.

The second line check to see if the referrer is NOT ("http://www.example.com/authorized_referring_paqe.html" OR "http://example.com/authorized_referring_paqe.html") with upper/lowercase ignored. Note that the "www." is made optional by the "?". If the referrer IS one of those, then the RewriteRule will be skipped.

Otherwise, if the non-blank referer is not the correct page, then the RewriteRule invokes a 403-Forbidden server response if the requested page is the one requiring referrer authorization.

If you need better "security," then you can use cookies, a server-side-script-based solution, or other approaches. All of them a more complex than this method, but offer better security.

Jim

So how do I apply this mod_rewrite rule to specific pages? Or is this a global setting, stating that you are only allowed to a certain place given you started from an allowed place.

It's been tough wrapping my head around this. It wasn't my idea to use this method. I wanted to just put the files in a password protected area.

I'll make changes based on your advice.

Thank you

Where do i put this mod_rewrite file? Near the bottom of the httpd.config there is the mod_rewrite. I have it there as well as within the DocumentRoot. Is there anywhere else I need to put it?

> So how do I apply this mod_rewrite rule to specific pages? Or is this a global setting, stating that you are only allowed to a certain place given you started from an allowed place.

The pattern in the RewriteRule determines which directories or pages the rule will be applied to - IF all the RewriteConds are satisfied.

The setup of your directories can make a big difference in how complex the rewrite needs to be. The easiest solution from the mod_rewrite perspective is to put all the restricted resources into a single directory (or directory branch) and then use a pattern in the RewriteRule that covers that entire directory or branch. Similarly, if the allowed-referers all share a common directory path, then you can specify that path in the RewriteConds used to check the referring URLs. Basically, the same directory structure that would be good for password-authorized access is also good for mod_rewrite-controlled access.

> It's been tough wrapping my head around this. It wasn't my idea to use this method. I wanted to just put the files in a password protected area.

The learning curve on mod_rewrite is steep. It also requires using regular-expressions, another subject with a steep learning curve. So it takes a while to become comfortable with it. Once you do however, its power and flexibility is very useful.

> Where do i put this mod_rewrite file? Near the bottom of the httpd.config there is the mod_rewrite. I have it there as well as within the DocumentRoot. Is there anywhere else I need to put it?

Putting it in the directory container for the "site" in question in httpd.conf should be sufficient. But I am not a server-level config expert, since I only rent web space. (I really need to get another PC so I can "spare one out" and use it as a test server to help answer these questions. Maybe next year...) Others may be able to offer better advice on this question.

Jim