How to make Apache restrict access to file except to internal redirects

Question

I am currently developing an Apache module and after parsing POST data from a request to another page, I make an internal redirect to a PHP page that makes some final operations and echoes out an HTML meta refresh tag. This in turn makes the browser refresh, requesting the first page.

The problem is, I don't want explicit outside requests to be able to access that page, but let the module do the internal redirect successfully.

Is there a way I can do this? I have tried using:

<Directory /var/www/cc_jnlp/php/>
    <Files session_init.php>
        Order allow,deny
        Deny from all
    </Files>
</Directory>

...but that just blocks all requests, regardless of whether it was or not an internal redirect.

If someone receives the cookie once, it can be used in successive requests, and the forgery ensues. — ravemir, Sep 13 '12 at 22:08
nope, you can send a "one time valid" cookie, managed by your program as it is not a default feature — Saic Siquot, Sep 14 '12 at 13:15
That would require shared memory, which would unnecessarily slow down the server. — ravemir, Sep 17 '12 at 10:19

score 1 · Answer 1 · answered Sep 13 '12 at 12:18

1

Try with the following configuration:

<Directory /var/www/cc_jnlp/php/>
    <Files session_init.php>
        Order deny,allow
        Deny from all
        Allow from 127.0.0.1
    </Files>
</Directory>

answered Sep 13 '12 at 12:18

I can't test it right now, but my guess is that when I do the internal redirect, the address of the original request is kept, as well as the restriction on outer requests to that page. If that page doesn't run, then I can't establish a session. – ravemir Sep 13 '12 at 16:32
1

@ravemir You're right, probably I have misunderstood your question. Maybe [this answer](http://stackoverflow.com/questions/5769459/mod-rewrite-allow-redirect-but-prevent-direct-access) can be more useful? – Sep 13 '12 at 19:14
It is not the most satisfactory solution, since once the secret key is discovered, the system is compromised. However, by randomizing this value on startup, one could mitigate this risk. – ravemir Sep 13 '12 at 22:11
Enzino, if you post an answer similar to mine, the bounty is yours, since you pointed me to an answer that triggered it :) – ravemir Sep 18 '12 at 09:35
1

@ravemir Thank you for the feedback, but wouldn't it be simpler to assign the bounty to my answer and accept your own answer, just to avoid a duplicate? Otherwise I will try to edit my answer as you suggested. – Sep 18 '12 at 14:09

score 0 · Accepted Answer · answered Sep 18 '12 at 09:34

A good approach would be to send something with the request that would identify it as a legitimate one. My first approach was to generate a big random number at the start of the server activity, and transmit it along with the data. The module would identify all requests to that page, and deny those that didn't include that specific query argument. Problem was, this was susceptible to bruteforcing, and the only way to counter it was to increase key size.

My definitive solution will use the Apache Notes system to transmit the data instead, and assuming that only the Apache server itself can manipulate that data, we can safely deny all requests that don't include it.

How to make Apache restrict access to file except to internal redirects

2 Answers2