问题描述:

I'm using a membership script to allow access to private files by a group of people. The problem is anyone who knows the link to the files can easily bypass the membership script and have direct access to the files. My goal is to prevent direct URL access through http://domain.com/folder1/folder2/index.php and to only accept access from http://domain.com/folder1/file_with_link_to_index.php. The membership script is useless unless I can prevent people typing in the url to the file locations.

I'm having a hard time even beginning to understand Apache but what I was attempting to do was to use "Deny All" and then "Allow from http://folder1/file_with_link_to_index.php." so that access to the files could only be access through the "file_with_link~" only. It didn't work. I was still able to paste the url to the files into the browser and access the directory.

I found similar questions on StackO but not enough experience to understand and actually take the little pieces that were similar to my problem and actually use them. It's probably something simple but I'm so frustrated with trying to figure this out that I can't see it.

Here's a quick example of what I was trying to use:

deny all except those indicated here

<Limit GET POST PUT>

order deny,allow

deny from all

allow from 12.345.67.890

allow from http://domain.com/fold1/LINKING_FILE/program_index.php

</Limit>

I'm pretty sure I'm failing on the way the domain is supposed to be written and maybe that's why it's not working?

网友答案:

I would use another approach to this than by htaccess. Put the files in a directory unreachable for the public web, then use your membership php script to retrieve them.

网友答案:

jTheMan was right. There was a better way of tackling this using PHP. My fix for my problem is below just in case it's useful to anyone else. The only awesome addition would be to make the code below allow direct URL access from just one IP, like my own :0)

I added the following file to the "head" or "index" or to the very top of the page that was called first in each application:

//Begin refuse direct URL Connections
$refering=parse_url($_SERVER['HTTP_REFERER']);
if($refering['host']==$_SERVER['HTTP_HOST']){
   echo "";
} else {
   header("Location: http://www.yourdomain.com");
    exit();
}
//End refuse direct URL Connections

Thank you!

相关阅读:
Top