Hello Max
Thank you for this interesting idea!
I have implemented it on my test server and it seems to do what I want.
However, at the moment, I do not fully understand what is happening.
However, I will study the Apache docs right now.
Thanks!
Jonathan
>From: Maxwell Hung <[EMAIL PROTECTED]>
>To: [EMAIL PROTECTED]
>Subject: Re: [PHP] Insecurity with PHP authorization
>Date: Tue, 7 Aug 2001 11:22:33 +0100 (BST)
>
>Hi Stefan
>
>You can do this
>
>#Add this httpd.conf N.B apache > 1.3.12
>SetEnvIfNoCase Referer "^http://www.mysite/";
>local_ref=1
>
># place the following into a .htaccess file in the dir
>you wish to protect the files
>Options -Indexes
>
># change the extensions you want to protect
><FilesMatch ".(doc|zip|xls|flp)">
> Order Allow,Deny
> Allow from env=local_ref
></FilesMatch>
>
>This will stop and direct requests to files as the env
>var will not be set.
>
>I've used it on my setup and it's fine. As noted above
>this will only work with apache > 1.3.12
>
>If you get it working could you forward it to the php
>list I can't get there through this a/c
>
>HTH
>
>M@
> --- Stefen Lars <[EMAIL PROTECTED]> wrote: >
>Hello all
> >
> > I have just implemented a mySQL authorization: each
> > html and php page checks
> > to see whether a user is logged in by checking a
> > cookie in the user browser.
> > The user can log out and edit her profile (including
> > password). If a page is
> > called without the user being logged in, he is
> > presented with a log in form.
> > This works very well. There is an SSL connection to
> > the server. Only a hash
> > value of the password is stored in the database.
> >
> > However, if I directly request a graphic (or a ZIP
> > file etc) from the site,
> > by entering:
> > https://www.myserver.com/photo.jpg for example, I
> > can download that file
> > without being logged in (naturally).
> >
> > In the particular *intranet* project that I am
> > working on, this is
> > particularly undesirable, as only personnel at the
> > company’s four locations
> > may have access to the intranet. And there certainly
> > will be a lot of
> > ‘confidential’ ZIP and graphic files placed on the
> > server.
> >
> > I do realize that if I were to place a .htaccess
> > file in the root of the
> > intranet server, I could prevent the above from
> > happening, but then I loose
> > the advantage of having the users profile in a
> > database, where a user can
> > easily change her password. Allowing a web user to
> > edit a password in the
> > .htaccess file poses more problems than it solves,
> > especially as it
> > certainly could occur that more than one persons
> > wants to edit his password
> > simultaneously.
> >
> > Could anyone suggest a method to allow a user to
> > easily edit his password,
> > but at the same time, not allow direct access to
> > specific non-PHP files on
> > the intranet server?
> >
> > Perhaps one method would be to restrict access to
> > the company’s four gateway
> > servers (IP addresses). However, I feel this is not
> > to secure, and these IPs
> > could be spoofed (and this does not really solve the
> > problem).
> >
> > Any enlightenment on this subject would be well
> > received.
> >
> > TIA
> >
> > S.
> >
> >
> >
>_________________________________________________________________
> > Get your FREE download of MSN Explorer at
> > http://explorer.msn.com/intl.asp
> >
> >
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, e-mail:
> > [EMAIL PROTECTED]
> > For additional commands, e-mail:
> > [EMAIL PROTECTED]
> > To contact the list administrators, e-mail:
> > [EMAIL PROTECTED]
> >
> >
> >
>
>____________________________________________________________
>Do You Yahoo!?
>Get your free @yahoo.co.uk address at http://mail.yahoo.co.uk
>or your free @yahoo.ie address at http://mail.yahoo.ie
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
