I want to password protect my entire public_html folder with one username and password. I also want to have a kind of override so that is the user accesses my site from a trusted link, it should not ask for the password.
example:
user comes directly to http://mydomain.com
user is prompted for username and password
user click on link from http://bobsusedcards.com
user is not prompted for username/password and gets immediate access to site http://mydomain.com
any ideas?
Full Version: password protect and accept referers
Ok, Lets see if I can do this for ya... Let me make sure I understand completely first, then I'll work it out and post the code...
You want password protected site from everywhere, unless that person is from a specific site(s). So you want to first filter them based on referer and if its not from bobsusedcards.com then prompt for a password right?
You do know that faking the referer information is trivial and anyone with a little knowledge could easily pass by your password protecton with the above scenario by just faking the referer info in the headers.
But with that, I'll try and work it out... Give me a few minutes..
Jason
You want password protected site from everywhere, unless that person is from a specific site(s). So you want to first filter them based on referer and if its not from bobsusedcards.com then prompt for a password right?
You do know that faking the referer information is trivial and anyone with a little knowledge could easily pass by your password protecton with the above scenario by just faking the referer info in the headers.
But with that, I'll try and work it out... Give me a few minutes..
Jason
exactly right. that way, if they come from the trusted referrer, they are not prompted when they surf to anywhere in the public_html, even subfolders. i am OK with the lack of security that this model sets up. thanks much for your help.
Seems to me it would be possible on your main page to check the referrer and then redirect based on that referrer (to either the page or a password protected page). Some sort of php or cgi script could do it. It's clicking in my head, but Jason's already on it and I'm sure it'll work much more accurately than if I tried it.
Alright, after much annoying endless loops 
I think I've got it figured out using 2 .htaccess files (one to process referer and one for password). The directory structure would look like so on the site:
Thats about it...
In the .htpass file, you need to setup a user/pass with htpasswd... (read more on this later) Put this file outside of the web readable space.
In the .htaccess file you need the following:
In the /pass/.htaccess file you need the following:
The other files are just html that use common <a href> tags to link to the other pages. To setup .htpass you need access to htpasswd on the server. So if you have SSH good, just hit the shell and type:
htpasswd -c .htpass USERNAME
change USERNAME with whatever username you wish. You can setup multiple users to track access to it as well. Just drop the -c when adding users.
And to see it in action, check out the following ( I added referer info for each page so you can kind of see what the server see's as the referer):
This link should work for everyone, no pass:
http://pr0ntab.com/blackburnrovers/content/
This link should take you to main page, of the site, no pass unless you click the link(Copy/Paste link into browser):
This link should take you to a password. Once logged in (demo/test) it will link to the content and no further password should be needed (you have to cut and paste this into a browser window to null the referer)
I think I've got it figured out using 2 .htaccess files (one to process referer and one for password). The directory structure would look like so on the site:CODE
.htpass <--- contains the passwords for the site (put this OUSIDE the webspace)
/.htaccess <--- contains the referer mod_rewrite
/index.html <--- asks people to Login - links to /pass
/pass/ <--- contains .htpassword that has login params
/pass/.htaccess <--- <limit> tags for the passwords
/pass/index.html <--- contains Thank you for logging in and Link to /content
/content/ <--- Houses all the "content" of the site
/.htaccess <--- contains the referer mod_rewrite
/index.html <--- asks people to Login - links to /pass
/pass/ <--- contains .htpassword that has login params
/pass/.htaccess <--- <limit> tags for the passwords
/pass/index.html <--- contains Thank you for logging in and Link to /content
/content/ <--- Houses all the "content" of the site
Thats about it...
In the .htpass file, you need to setup a user/pass with htpasswd... (read more on this later) Put this file outside of the web readable space.
In the .htaccess file you need the following:
CODE
Rewriteengine on
RewriteCond %{HTTP_REFERER} !^http://yoursite.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.theothersite.com/.*$ [NC]
RewriteRule .*$ http://yoursite.com/pass [R,NC]
RewriteCond %{HTTP_REFERER} !^http://yoursite.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.theothersite.com/.*$ [NC]
RewriteRule .*$ http://yoursite.com/pass [R,NC]
In the /pass/.htaccess file you need the following:
CODE
AuthUserFile /full/path/to/.htpass
AuthName "You need to Login First ######a!"
AuthType Basic
Satisfy Any
<Limit GET POST>
order deny,allow
deny from all
require valid-user
</Limit>
AuthName "You need to Login First ######a!"
AuthType Basic
Satisfy Any
<Limit GET POST>
order deny,allow
deny from all
require valid-user
</Limit>
The other files are just html that use common <a href> tags to link to the other pages. To setup .htpass you need access to htpasswd on the server. So if you have SSH good, just hit the shell and type:
htpasswd -c .htpass USERNAME
change USERNAME with whatever username you wish. You can setup multiple users to track access to it as well. Just drop the -c when adding users.
And to see it in action, check out the following ( I added referer info for each page so you can kind of see what the server see's as the referer):
This link should work for everyone, no pass:
http://pr0ntab.com/blackburnrovers/content/
This link should take you to main page, of the site, no pass unless you click the link(Copy/Paste link into browser):
CODE
http://pr0ntab.com/blackburnrovers/
This link should take you to a password. Once logged in (demo/test) it will link to the content and no further password should be needed (you have to cut and paste this into a browser window to null the referer)
CODE
http://pr0ntab.com/blackburnrovers/content/
thanks for all this info. i haven't had time to try this out yet, but will soon. i really appreicate the help.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.