Forum Moderators: phranque
We have a server that has two instances of Apache on different drives. One handles all the standard http requests. The other handles all the https and JSP (using Tomcat). We have a JSP log-in page for members with session management on the https instance of Apache.
We want to allow members who have logged on to access pdf documents that are housed in a directory on the http instance. So we are trying to use the following to prevent anyone from viewing the documents unless they are refered from the https instance e.g.
<Directory "D:/Apache2/htdocs/journal">
SetEnvIfNoCase Referer "^https://www.hostname.org/readtest/journal.jsp." local_ref=1
<FilesMatch ".(pdf)">
Order Allow,Deny
Allow from env=local_ref
</FilesMatch>
</Directory>
This does restrict access if trying to view the directory directly from a browser but also prevents access from the refering jsp page. We cannot figure out why. Any suggestion greatly appreciated.
Thanks
Welcome to WebmasterWorld!
HTTP referrers are not reliable, because it is up to the client (e.g. browser) to send the referrer in the HTTP request header, and some don't. Bookmarks, direct type-ins, and JavaScript referrals will be blank, as will referrals from several kinds of applications including media players. In addition, modern browsers often have plug-ins or toolbars to allow the user to easily suppress referrer header transmission.
Therefore, limiting access by referrer is imperfect at best, and unworkable at worst.
Your options are to allow blank referrers in addition to the approved referrers, or to use a more reliable access control method, such as cookies/session IDs or password protection.
Side-note: The parentheses around "pdf" in your <FilesMatch> container should not be needed, unless you wish to allow blank referrers, in which case it should read
<FilesMatch "\.(pdf$¦^$)"
Jim
