Welcome to WebmasterWorld Guest from 34.237.76.249

Forum Moderators: Ocean10000 & phranque

Message Too Old, No Replies

A few .htaccess challenges

     
3:56 am on Dec 23, 2003 (gmt 0)

New User

10+ Year Member

joined:Dec 23, 2003
posts:2
votes: 0


Hello,

I am a PHP programmer with very little understanding of .htaccess and mod_rewrite, other than the basics.

I am working on a program that uses .htaccess to protect directories, and want to be able accomplish the following:

-------------------------[ 1 ]-----------------------------
The .htpasswd files do not store the the plain-text passwords, rather, they are encrypted with md5() first, and then the PHP crypt() last.

So the user cannot login by going directly to the URL (unless they know what their md5 password string is). This means all users must login to our main program first, where the link will be displayed as:
[user:md5(pass)@domain.com...]

However, their is a risk of the user:md5(pass) being displayed as the referrer in other server's logs if ther are any outgoing links to other sites in the htaccess protected area. This is not acceptable.

What I would like to be able do is use mod_rewrite to rewrite the URL to [domain.com...] once the user is logged in. Is this doable?

-------------------------[ 2 ]-----------------------------
To prevent spamming & password sharing, I would like to redirect all traffic not referred from my site (or sites) to our sites main login page. They can then login there and the link to the htaccess protected area will be displayed, and by linking from that page they can gain access.

4:45 am on Dec 23, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member jdmorgan is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Mar 31, 2002
posts:25430
votes: 0


antjenn,

Welcome to WebmasterWorld [webmasterworld.com]!

Just some comments here...

Your requirements may dictate a scripted approach, rather than the basic authentication methods available directly through Apache.

I don't think you have to worry about the referer visibility problem, though. Even in .htaccess, the user/password string is not available -- it is stripped off in the authentication phase, which precedes the API phase where .htaccess files are processed. We had a thread [webmasterworld.com] here a few days ago where the member wanted to test for an exploit, and in testing for this, I could not access any information including and preceding the "@" character from .htaccess. I strongly suggest you test this for yourself, but that is what I saw on preliminary investigation.

One other point I'd like to raise is that if you mean to use the literal string "htaccess" in your URL-path, I'd advise against it. Just like some of the "cute" messages some people like to serve to hot-linkers, it is a security problem -- It tells people of unknown intent something that they don't need to know, in this case revealing that you are using an Apache server. Not that they can't get that information (and easily) through other means, but why give it away?

Again, I suggest you test your approach to verify whether the username/password is available in HTTP_REFERER when clicking through to a second page (you can just click through a link on your post-login page to a secondary test page on your own server and then go check the logs for referer info). In my testing, it was not.

Jim

7:44 am on Dec 24, 2003 (gmt 0)

New User

10+ Year Member

joined:Dec 23, 2003
posts:2
votes: 0


Jim,

Thanks a lot for your response and suggestions. I have explored some of my options and found a way to solve all my problems with one solution.

Rather than use the standard .htaccess & .htpasswd config, I have decided to pipe all requests through a php script.

This allows me to authenticate the user with my existing classes, as well as removes the ugly popup login box. It allows me to track the user's session with a cookie, and log all the logins to catch password thieves.

Also, since many of the prospective clients for this product will have 5-25,000 users, there are drastic server load reductions, since the .htpasswd files would need to be regenerated frequently for billing, account changes/additions, etc. That in itself is worth the trouble for me!

I will share the code I have created so far - it has been tested on WINXP/Apache & Redhat/Apache....

.htaccess file:


# I had to add the line below to get it working on the Redhat:
# Options +FollowSymlinks
RewriteEngine on
RewriteRule ^(.*)/.*$ - [L]
RewriteRule!(.+jpg¦gif¦bmp¦css)$ htaccess.php

I thought I would share this, I hope it helps someone else...