Forum Moderators: phranque
I have two members sites which use htaccess to allow users into their respective entrance ways (lobbys).
From there users get to select which site the user wishes to go to and the re write rule allows them access as long as they come from one of the 'Lobbys'.
I have a few users who cannot get past the re write, they get tossed out and some can't access .jpg's. I've had to move all my downloads to the visitors section as I couldn't get them to work nor will any of the site's internal pop-up windows work.
This certainly could be the system for me but I obviously don't know the rule's wildcards and need some help in refining what I have. I've pasted current code below. I have clients threatening to quit and need a quick fix, can anyone help?
RewriteEngine On
RewriteCond %{HTTP_REFERER}!^http://www.domain-ONE.com/lobby/lobby.html [NC]
RewriteCond %{HTTP_REFERER}!^http://www.domain-TWO.com/lobby/lobby.html [NC]
RewriteCond %{HTTP_REFERER}!^http://www.domain-ONE.com/members/ [NC]
RewriteCond %{HTTP_REFERER}!^http://www.domain-ONE.com/members/MPEGS/ [NC]
RewriteCond %{HTTP_REFERER}!^http://www.domain-ONE.com/members/Games/ [NC]
RewriteRule /* [domain-ONE.com...] [L,R]
Welcome to WebmasterWorld [webmasterworld.com]!
It is likely that these clients are accessing your site through firewalls or caching proxies which block HTTP_REFERER information. Therefore, they will show up with HTTP_REFERER blank, and your mod_rewrite code will not redirect them.
You have at least two choices: You can allow blank referers by adding a RewriteCond that redirects blank referers to a 'pick your account and click to go there' page, or you can change your technique for user redirection to use account passwords or cookies (set by a 'pick your account page'), and then use a server-side script to do the redirection. There may be other good solutions, too.
Because referer info is often blocked by agents outside the control of the user, do not rely on HTTP_REFERER for any critical site presentation or security function.
Jim
First off what is a blank referrer as this sounds like something I could implement quickly and get my customers in the site before loosing them.
Thanks again for the help, it's much appreciated!
Amazingly, I actually know the answer to this (which doesn't happen often). Insert the second line from below. This will allow empty referrers through. It will stop people hot-linking to your site, but won't stop them just typing the address directly into the browser.
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://www.domain-ONE.com/lobby/lobby.html [NC]
Let me know if you decide on anything, because I have a similar problem.
I have a small website which I created specifically as a resource for a couple of affiliated websites, but want to restrict access to only people logged into those sites. I haven't found any solution that doesn't involve entering some kind of authorisation.
SMB
[edited by: jdMorgan at 5:30 am (utc) on Jan. 11, 2004]
[edit reason] Fixed missing spaces [/edit]
Welcome to WebmasterWorld [webmasterworld.com]!
Posting on this forum removes spaces that precede an exclamation point "!". The solution is to type two spaces there.
Since a missing spaces would cause a syntax error in mod_rewrite, I edited your post only to fix that problem.
shipofone,
Adding the first RewriteCond shown in spunkymungbean's code will allow access from visitors presenting a blank referrer header, and that should be a good temporary fix. The other solutions I described depend heavily on your site specifics, so I can't really provide a useful example. Once you get comfortable with mod_rewrite, you should be able to come up with a solution on your own, or at least you will be able to post specific questions about details of the implementation.
Jim
