Registricting folder access based on .htaccess and cookie variable - .htaccess

I need to add a condition in .htaccess file to check if a user is logged in (cookie value SESS#######) and based on the condition i need to grant access to folder.
Sample Cookie name: SESS12312312132ABD or SESSACBBCBBCBCBCCB (SESS is prefixed for every cookie value)
I tried with below condition but not working
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_COOKIE} !SESS.* [NC]
RewriteRule .* http://www.google.com
</IfModule>
Appreciate your suggestion

Related

mod-rewrite redirect but prevent direct access

I want to redirect all content to:
www.example.com/public/...
but prevent direct access to
www.example.com/public/file1/
www.example.com/public/file2/
etc
The final URL should be:
www.example.com/file1/
I've tried this for redirecting and it works - but I dont know how to prevent direct access:
ReWriteCond %{REQUEST_URI} !/public/
RewriteRule ^(.*) public/$1 [L]
After spending an inordinate amount of time trying to solve this problem, I found that the solution lies with the under-documented REDIRECT_STATUS environment variable.
Add this to the beginning of your top-level /.htaccess code, and also to any .htaccess files you have under it (e.g. /public/.htaccess):
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{ENV:REDIRECT_STATUS} !=200
RewriteRule ^ /public%{REQUEST_URI} [L]
</IfModule>
Now, if the user requests example.com/file1 then they are served the file at /public/file1. However, if they request example.com/public/file1 directly then the server will attempt to serve the file at /public/public/file1, which will fail (unless you happen to have a file at that location).
IMPORTANT:
You need to add those lines to all .htaccess files, not just the top-level one in the web root, because if you have any .htaccess files below the web root (e.g. /public/.htaccess) then these will override the top-level .htaccess and users will again be able to access files in /public directly.
Note about variables and redirects:
Performing a redirect (or a rewrite) causes the whole process to start again with the new URI, so any variables that you set before the redirect will no longer be set afterwards. This is done deliberately, because usually you do not want the final result to depend on how you got there (i.e. whether it was via a direct request or via a redirect).
However, for those special occasions where you do want to know how you got to a particular URI, you can use REDIRECT_STATUS. Also, any environment variables set before the redirect (e.g. with SetEnvIf) will still be available after the redirect, but with REDIRECT_ prefixed to the name of the variable (so MY_VAR becomes REDIRECT_MY_VAR).
Maybe you should clarify what's the expected behaviour when user tries to reach the real URL:
www.example.com/public/file1/
If by prevent you mean forbid, you could add a rule to respond with a 403
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} !/public/
RewriteRule ^(.*)$ /public/$1 [L]
RewriteCond %{REQUEST_URI} /public/
RewriteRule ^(.*)$ / [R=403,L]
</IfModule>
Update: The solution above doesn't work!
I realized my previous solution always throws the 403 so it's worthless. Actually, this is kinda tricky because the redirection itself really contains /public/ in the URL.
The solution that really worked for me is to append a secret query string to the redirection and check for this value on URL's containing /public/:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} !/public/
RewriteRule ^(.*)$ /public/$1?token=SECRET_TOKEN [L]
RewriteCond %{REQUEST_URI} /public/
RewriteCond %{QUERY_STRING} !token=SECRET_TOKEN
RewriteRule ^(.*)$ / [R=403,NC,L]
</IfModule>
This way www.example.com/file1/ will show file1, but www.example.com/public/file1/ will throw a 403 Forbidden error response.
Concerns about security of this SECRET_TOKEN are discussed here: How secure is to append a secret token as query string in a htaccess rewrite rule?
If your URL's are expected to have it's own query string, like www.example.com/file1/?param=value be sure to add the flag QSA.
RewriteRule ^(.*)$ /public/$1?token=SECRET_TOKEN [QSA,L]

rewrite rule with .htaccess to mask url

My present url structure :
domain.com/items/view/5
domain.com/user/view/5
domain.com/user/edit/5
Now i don't want users to directly know the 'id' in the url, as they can directly fire a query from the address bar.
Hence i want to mask the url to :
domain.com
i.e. domain.com/anything will come as it is but the url will not change.
Thanks in advance.
Also note that i have already made .htaccess file with following code to remove 'index.php' from the url and that is working perfect.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ /index.php/$1 [L]
</IfModule>
Can't be done. The only way to hide the id is to pass it outside the url - i.e. as POST data; but .htaccess doesn't have access to that, only the url.
Your code should instead handle the fact that users could enter the url directly and either act correctly or use a http-redirect header to send the user back to the main page.

htaccess make additional (hidden) request in background

I want a script on my server to excecute whenever there is a certain string found in the GET parameter. However I dont want the user to notice any of this as the server should serve the requested page like usual.
Is this possible?
RewriteCond %{REQUEST_URI} matchthis
# Make hidden request
Enable mod_rewrite and .htaccess through httpd.conf and then put this code in your .htaccess under DOCUMENT_ROOT directory:
Options +FollowSymLinks -MultiViews
# Turn mod_rewrite on
RewriteEngine On
RewriteBase /
RewriteCond %{QUERY_STRING} !^foo=bar(&|$) [NC]
RewriteRule ^matchthis/?$ %{REQUEST_URI}?foo=bar [L,QSA,NC]
This rule is adding a query parameter foo=bar if requested URI is /matchthis. This change will be hidden from the user since I'm not using R flag here hence it is an internal forward instead of an external redirect.

How to redirect in .htacces &Itemid=x to &Itemid=Y

Hello I have this issue
I cant redirect this
index.php?option=com_adsmanager&view=list&catid=8&Itemid=435
To this
index.php?option=com_adsmanager&view=list&catid=8&Itemid=565
catid=8 is a variable i need redirect all the catid= values
Im only need to chanche &Itemid=435 to &Itemid=565
I have this code
RewriteEngine on
RedirectMatch 301 ^(.+)\&Itemid=435$ $1&Itemid=565
I dont know what is wrong
I need all the urls anything&Itemid=435 goes to sameanything&Itemid=565
Alternative
Add below PHP Code at the top of index.php or configuration.php of Joomla!
It checks for numerical catid & Itemid requests & if Itemid=435 It will redirect URL with catid & new Itemid. Feel free to modify code according to your need!
if(isset($_GET['catid']) && is_numeric($_GET['catid']) && isset($_GET['Itemid']) && is_numeric($_GET['Itemid']))
if($_GET['Itemid'] == 435)
{
$catid = $_GET['catid'];
$location = "/index.php?option=com_adsmanager&view=list&catid=$catid&Itemid=565";
header ('HTTP/1.1 301 Moved Permanently');
header ('Location: '. $location);
}
Answer - 2
I assumed that you wants is to redirect URI-1 to URI-2.
index.php?option=com_adsmanager&view=list&catid=8&Itemid=435
index.php?option=com_adsmanager&view=list&catid=8&Itemid=565
Below mod_rewrite will let you redirect specific URI to other specific URI.
Just add below rules in .htaccess file.
<IfModule mod_rewrite.c>
Options +FollowSymlinks
RewriteEngine on
RewriteCond %{QUERY_STRING} ^option=com_adsmanager&view=list&catid=8&Itemid=435$
RewriteRule ^/?index\.php$ /index.php?option=com_adsmanager&view=list&catid=8&Itemid=565 [R=301,L]
</IfModule>
Answer - 3
Use below in your .htaccess, if you want to handle requests with'/index.php' and '/'.
<IfModule mod_rewrite.c>
Options +FollowSymlinks
RewriteEngine on
RewriteCond %{QUERY_STRING} ^option=com_adsmanager&view=list&catid=8&Itemid=435$
RewriteRule ^(.*)$ /index.php?option=com_adsmanager&view=list&catid=8&Itemid=565 [R=301,L]
</IfModule>
NOTE: Do not use both code in single .htaccess file.

How to pass-through requests not going to specific directories to index.php/path?

In my present project I've got several directories: application (my MVC files, which mustn't be accessed), images, css, and js. Effectively I want all requests to images/css/js to proceed unchanged, but all others I wish to call index.php/my/path.
My .htaccess currently looks like this, and is wreaking havoc with my routing.
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond $1 !^(index\.php|images|js|css|robots\.txt)
RewriteRule ^(.*)$ http://example.com/index.php/$1 [L]
</IfModule>
This isn't working as relative URLs start stacking up, such as: example.com/blog/view/1/blog/view/2.
When I attempt something like,--
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} !^/(index\.php|images|js|css|robots\.txt)
RewriteRule ^ index.php%{REQUEST_URI} [PT]
</IfModule>
I get this error with any request: No input file specified.
How can I force all requests not to my whitelisted directories to call, not redirect to (redirection murders posting, I found), index.php/path? IE, when /blog/view/1 is requested by the browser, .htaccess calls index.php/blog/view/1. The reference files at Apache's site aren't too clear about how to do this sort of thing—that, or, I am just missing the point of what I'm reading about RewriteRule.
And, I really want to understand this. Why will your answer work? Why are my attempts failing?
This is what I have in my .htaccess for my framework:
<IfModule mod_rewrite.c>
RewriteEngine on
#This will stop processing if it's images
RewriteRule \.(css|jpe?g|gif|png|js)$ - [L]
#Redirect everything to apache
#If the requested filename isn’t a file….
RewriteCond %{REQUEST_FILENAME} !-f
#and it isn’t a folder…
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php?$1 [L,QSA]
#L = (last - stop processing rules)
#QSA = (append query string from requeste to substring URL)
</IfModule>
Hope this helps.
PS: Maybe you want to remove the lines to stop redirecting if it's a file or folder ;)
Antonio helped me get on the right track, so here's the resulting .htaccess:
<IfModule mod_rewrite.c>
RewriteEngine on
# skip if whitelisted directory
RewriteRule ^(images|css|js|robots\.txt|index\.php) - [L]
# rewrite everything else to index.php/uri
RewriteRule . index.php%{ENV:REQUEST_URI} [NE,L]
</IfModule>
You're going to have to do that using PHP. For example, if you wanted to split your URI into something like domain.tld/controller/action/param, then you could use the following PHP code as a start:
<?php
// Filter URI data from full path
$uri_string = str_replace($_SERVER['SCRIPT_NAME'], '', $_SERVER['REQUEST_URI']);
$uri_string = trim($uri_string, '/'); // Make sure we don't get empty array elements
// Retrieve URI data
$uri_data = explode('/', $uri_string);
In that case, $uri_data[0] is the controller, $uri_data[1] is the action, and beyond that are parameters. Note that this isn't a foolproof method, and it's never a great idea to trust user-entered input like this, so you should whitelist those controllers and actions which can be used.
From here, knowing the controller and having a consistent directory structure, you can require_once the proper controller and call the action using variable variables.
This is what I use in my .htaccess file for my CMS:
Options -Indexes
RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.+)$ index.php/$1 [NC,L]
And then in my index.php file I have:
$path_info = '';
$path_info = isset($_SERVER['PATH_INFO']) ? $_SERVER['PATH_INFO'] : $path_info;
$path_info = isset($_SERVER['ORIG_PATH_INFO']) ? $_SERVER['ORIG_PATH_INFO'] : $path_info;
$request = explode('/', trim($path_info, '/'));
// if $request[0] is set, it's the controller
// if $request[1] is set, it's the action
// all other $request indexes are parameters
Hope this helps.

Resources