How do you test HTTP_REFERER in htaccess

Anon

I've given up on trying to send PHP user/pass value pairs to Apache's basic authentication.

On the advice of another poster (thanks Metin) I've decided to try to set up a .htaccess file to test for a HTTP_REFERER from a specific page within the site. Here's the problem:

1) We have a working PHP/MySQL login form.

2) Once authenticated the user is presented with a link to one of several PDFs based on their level of access contained in their record in the MySQL table. This all works great.

3) Problem is we don't want them to be able to bookmark directly to the PDF. They have to login in first. When there was just one file for everyone we just used .htaccess basic authentication and a group file on the server. Now that there are several hundred users and several PDFs based on their access level we needed a more robust system.

4) We're ruled out the PHP Header() function as it doesn't work in all versions of IE on Windows and it doesn't provide for protection agains directly linking to the PDF or bookmarking it.

5) It was suggested to set up a HTTP_REFERER check in the .htaccess file so that the user had to be coming from the link page after a successful login. If not, if they bookmark the PDF or just type it into the address bar of the browser they should be redirected to the login page.

After over 2 hours of searching in our Apache books here and on the Web we've not found anything that works. Even tried doing a Rewrite conditional based on HTTP_REFERER. Just keep getting Internal server 500 errors. Here's the last Rewrite we tried:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^{http://([a-z0-9-]+.)our_domain_name_was_here.com/directory/our_form_page.htm(:80)/} [NC]
RewriteRule /* http://%{HTTP_HOST}/ [R,L]

Any help or suggestions?? This is basically our last hope before telling the client this seemingly simple little thing is not protectable from bookmarking once the user has gained access once...

Thanks in advance!

-shane

brandonschnell

HTTP_REFERER doesn't always work and shouldn't be counted on for anything critical. its just for information. its also easily faked.

this is easily done using Header() & php authentication. properly set headers() can force a download in any version of ie. search on this page on how.

store the unique session id in a session cookie. on login update the user table with the new session. when user tries to authenticate if they don't have the cookie with the right session id or if its passed the timeout period send the user to a logon screen. now if user tries to access bookmark http://yoursite.com/download.php?file=something.pdf the user is sent to a login screen to set the cookie before being sent back to the download page (ie if !$logged_on { send the redirect header() } )

simple. effective. many have done this before and so can you.

[deleted]

Note: this still doesn't protect against direct-bookmarking.

In order to make your documents bookmark-proof you'll have to store the protected documents in a location where the webserver cannot reach them. Then use a PHP script (with the given authentication methods in it) to read the file and pass it to the client.

A forum, a FAQ, email notification, what else do you need?

Time to YAPF!: http://www.hvt-automation.nl/yapf/

Anon

Look at my answer to your previous post:

http://www.phpbuilder.com/forum/read.php3?num=1&id=138612&thread=138510