1

I would like to rewrite all requests for http://models.example.com/* to http://models.example.com/handler.php?requested_url=*

Then, handler.php would check my $_SESSION variables to see if the user is logged in. If the user is logged in, then handler.php would redirect to the requested_url.

If the user is not logged in, then handler.php would use regular expressions to find matches between requested_url and an array of permission rules (ruleList.php). If handler.php sees that there is a rule allowing non-logged-in users to access requested_url then it would redirect to the requested_url, otherwise it would redirect to a login page.

My problem is this: How do I distinguish between an initial request and a redirection? (to avoid an infinite loop). I can append a variable like &already_processed=true, but that is completely insecure.

I would use mod_auth, but the problem is that I want the permissions to be settable through the website's administrative panel (ruleList.php). The permission rules could be complex, and the people setting them should not have to poke around in the server's httpd.conf file. Another problem with mod_auth is that changes would require the server to be reset.

I'd appreciate any input on the subject!

Mike Furlender
  • 3,869
  • 5
  • 47
  • 75

1 Answers1

2

... would redirect to ...

A redirect is always insecure. It will pass the action back to the client (Browser) and then end the request.

That means, the next request is a new request and both Apache and your PHP script have no information if the request is new or not until you add it to the session.

However, as you want your apache webserver to serve the resource, you need to verify the session within apache. That means you need to extend apache so that you can check some environment variables or similar as conditions for the rewrites.

As you can imagine, this is all a little complicated.

As you mention mod_auth, IIRC you can query against a Mysql database. That done you might be even able to validate against request URIs. That's probably an easy variant in your case.

hakre
  • 193,403
  • 52
  • 435
  • 836
  • Thanks for your reply. When I wrote "would redirect to" I should have said "would rewrite to", but I am pretty sure that your answer still applies. I was considering getting around the problem you mentioned by using cookies within .htaccess, as mentioned on this page: http://www.willmaster.com/blog/contentprotection/htaccess-cookie.php – Mike Furlender Sep 23 '12 at 22:37
  • Yes, however cookies are a bit like a query parameter (a bit better), so do not expect super-security from it. But cookies are used for HTTP session management, so I'd say it looks good. – hakre Sep 23 '12 at 22:55