Authentication with Query String and Rewrite / Allow, Deny

Alles, was den Apache betrifft, kann hier besprochen werden.

Authentication with Query String and Rewrite / Allow, Deny

Postby softconcepts » 10. December 2010 14:16

Hi folks,

my purpose is to secure a directory. For some reason ("Authentication" should be happen automatically and the user should not notice it) I can't use HTTP AUTH, so that's why I follow this way:

For instance, a image which is in this directory has to be called like this (from the same or another domain):
Code: Select all
<img src="http://example.com/subdir/image.jpg?auth_string" />


Only calls with this "auth_string" are authorized to get files out of this directory. So my .htaccess looks like this:

Code: Select all
# is the query_string equal auth_string. If so, set envirnment variable "authenticated" to 1
RewriteEngine On
RewriteCond %{QUERY_STRING} ^auth_string$
RewriteRule ^ - [L,E=authenticated_host:%{HTTP_REFERER}]

# allow only the host which is authorized through RewriteRule above
Order Allow,Deny
Allow from env=authenticated_host


Do you have any idea why it doesn't work. Or maybe a better approach.

Thanks in advance,
Patrick
softconcepts
 
Posts: 2
Joined: 10. December 2010 14:13

Re: Authentication with Query String and Rewrite / Allow, De

Postby Nobbie » 10. December 2010 15:23

.htaccess is NOT a procedural language. you cannot determine which statements are executed first. This is the same .htaccess as yours - and its obvious, that it cannot work:

Code: Select all
    # allow only the host which is authorized through RewriteRule above
    Order Allow,Deny
    Allow from env=authenticated_host

    # is the query_string equal auth_string. If so, set envirnment variable "authenticated" to 1
    RewriteEngine On
    RewriteCond %{QUERY_STRING} ^auth_string$
    RewriteRule ^ - [L,E=authenticated_host:%{HTTP_REFERER}]


Anyway, this is by far more easier:

Code: Select all
RewriteEngine On
RewriteCond %{QUERY_STRING} !^auth_string$
RewriteRule ^ - [F]
Nobbie
 
Posts: 13170
Joined: 09. March 2008 13:04

Re: Authentication with Query String and Rewrite / Allow, De

Postby softconcepts » 10. December 2010 16:06

Nobble, thank you!! That's the way it works.
Pretty easy... :shock:

Patrick
softconcepts
 
Posts: 2
Joined: 10. December 2010 14:13


Return to Apache

Who is online

Users browsing this forum: No registered users and 21 guests