.htaccess

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

.htaccess

Rondon
Hi Folks,

Sorry to bother you.
My website is using apache at Dreamhost.

I'm authenticating using a require valid-user at .htaccess
But I need to add more directives to authenticate the access by Referer.

If the user comes from a specific referer, the user doesn't have to receive the authentication box and bypass the authentication.

Is that possible?

My .htaccess file is:

AuthName "My Security Area"
AuthType Basic
AuthUserFile  /myusersfilepath/
require valid-user

ErrorDocument 401 /error.html

I'd like to add authentication by Referer
if Referer or host domain.the extension then there is no need for authentication
the user goes in with the authentication box.

Can you help with that?

Thanks in advance and waiting for your response

Cheers,

--DjRondon




---------------------------------------------------------------------------------------------
Your life is shaped by your mind and you become what you think.
Dhampada - Twin Verses.
Reply | Threaded
Open this post in threaded view
|

Re: .htaccess

Yann Ylavic
Hi Rondon,

On Fri, Sep 15, 2017 at 12:27 AM, Rondon <[hidden email]> wrote:

> Hi Folks,
>
> Sorry to bother you.
> My website is using apache at Dreamhost.
>
> I'm authenticating using a require valid-user at .htaccess
> But I need to add more directives to authenticate the access by Referer.
>
> If the user comes from a specific referer, the user doesn't have to receive
> the authentication box and bypass the authentication.

First I must say that it's IMHO not a wise thing to do!
Keep in mind that the Referer can be forged at wish one by any user,
fooling your authorizations...

>
> Is that possible?

If you really want to though, possibly something like:

>
> My .htaccess file is:
>
> AuthName "My Security Area"
> AuthType Basic
> AuthUserFile  /myusersfilepath/

SetEnvIf Referer ^https?://my.referer.host/and/path let_me_in
Require env let_me_in
> require valid-user

in that order.


Regards,
Yann.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: .htaccess

Rondon
Hi Yann,

But I need to have both working.. 
By Referer bypass the user authentication
if Referer is different it needs the user authentication.

Cheers,

Rondon

---------------------------------------------------------------------------------------------
Your life is shaped by your mind and you become what you think.
Dhampada - Twin Verses.

2017-09-16 14:46 GMT-03:00 Yann Ylavic <[hidden email]>:
Hi Rondon,

On Fri, Sep 15, 2017 at 12:27 AM, Rondon <[hidden email]> wrote:
> Hi Folks,
>
> Sorry to bother you.
> My website is using apache at Dreamhost.
>
> I'm authenticating using a require valid-user at .htaccess
> But I need to add more directives to authenticate the access by Referer.
>
> If the user comes from a specific referer, the user doesn't have to receive
> the authentication box and bypass the authentication.

First I must say that it's IMHO not a wise thing to do!
Keep in mind that the Referer can be forged at wish one by any user,
fooling your authorizations...

>
> Is that possible?

If you really want to though, possibly something like:

>
> My .htaccess file is:
>
> AuthName "My Security Area"
> AuthType Basic
> AuthUserFile  /myusersfilepath/

SetEnvIf Referer ^https?://my.referer.host/and/path let_me_in
Require env let_me_in
> require valid-user

in that order.


Regards,
Yann.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]