Need htaccess trick to protect dynamic CMS pages

Fix it!!

Need htaccess trick to protect dynamic CMS pages

Postby tyee » Wed Feb 21, 2007 9:04 am

Greetings
I have tried to do all the homework I can on this but I'm stuck now. I am using sNews CMS, which creates dynamic pages using a MySQL database. I want to protect pages that I have created by using htaccess. Searching for the last few days, I found out that textpattern CMS also can and has been protected this way. Here is the theory and code the guy used --

Theory

Suppose your website is at http://example.com and TXP is installed in the root directory and you want to use HTTP authentication to protect the section called ‘protected’ (http://example.com/protected).

This example assumes your website is hosted on an Apache webserver and that you already have an existing .htpasswd file containing usernames and passwords.

1. Physically create that directory ‘protected’
2. Within that directory ‘protected’, create the following .htaccess file:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule ^(.*) ../index.php
</IfModule>

AuthType Basic
AuthUserFile /path/on/server/to/.htpasswd
AuthName "Only for registered users"
require valid-user

End How To

Theory Explanation --

When you’re allowed to visit the protected directory (which exists physically on the server), the RewriteRule prevents that physical directory from being shown to the user. Instead it redirects the request to Textpattern’s index.php (which would have happened if that protected directory hadn’t existed physically on the server), so TXP can show the section you really wanted to see.

Normally, sections in TXP don’t have a corresponding physical directory. It is all handled by index.php. To be able to password protect with .htaccess, a physical directory is required, but… when you request a file or directory that physically exists, the default TXP installation will no longer take care of it; instead that real, physical directory/file will be shown by the webserver. The rewrite rule overrides that by saying: even though there is a physical file/directory here, we still want TXP to handle the request. Because that happens after the authentication step, you get what you want: a password protected TXP section.

End Theory


I tried to get sNews to work with this but no luck. I kept getting redirected to my index.php page and not to the other page I wanted to go to ("protected" folder in this example). I think the 3rd line needs modifying for sNews --

RewriteRule ^(.*) ../index.php

I think something needs to be added at the end of index.php but I dnn't know what. Here is the htaccess file that comes with sNews, maybe that will help --

<IfModule mod_php4.c>
php_value session.use_trans_sid 0
</IfModule>
RewriteEngine On
#RewriteBase /sNews15
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule ^(.*) $1 [L]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^(.*)$ index.php?category=$1 [L]
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php?category=$1 [L]
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^([a-z_]+)/([^/]+) index.php?category=$1&title=$2 [L]
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^([a-z_]+)/([^/]+)/([^/]+)/ index.php?category=$1&title=$2&commentspage=$3 [L]
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^([a-z0-9_-]+)/([0-9]+)/ index.php?category=$1&nbsp;articlespage=$2 [L]

tyee
tyee
 
Posts: 2
Joined: Wed Feb 21, 2007 8:53 am

Postby richardk » Wed Feb 21, 2007 10:00 am

You could try
Code: Select all
Options +FollowSymLinks

Order Allow,Deny
Deny from All

<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteRule .* ../index.php [QSA,L]
</IfModule>


If you want to use that sNews .htaccess file it won't work with the Textpattern password protection.

You could use a normal .htaccess/.htpasswd pair**, or edit the sNews files (all the files that need password protection, not include files) to include a PHP password protection script (possibly using Textpattern's system).

**There is a know problem with .htaccess/.htpasswd authentication and mod_rewite, so beware, if you get 404 errors that's probably the problem.
richardk
 
Posts: 8800
Joined: Wed Dec 21, 2005 7:50 am

Postby tyee » Wed Feb 21, 2007 10:31 am

Hi richardk
Thanks for the reply. One point is that there is are only two sNews files, and they are snews.php and index.php. Everything else, except the style.css, is pulled from the database and created dynamically. So this means I can't add any php code to the pages I create because they don't exist until asked by the browser.

I'll try your other suggestion.

Thanks
tyee
tyee
 
Posts: 2
Joined: Wed Feb 21, 2007 8:53 am

Postby richardk » Wed Feb 21, 2007 11:16 am

You'd add the code to the two real PHP files (or possibly only index.php, depending on what snews.php does). Then when you tried to access a fake page and the request was sent to index.php, it would run before the content was pulled from the database.
richardk
 
Posts: 8800
Joined: Wed Dec 21, 2005 7:50 am


Return to Security with Mod_Rewrite

Who is online

Users browsing this forum: No registered users and 16 guests

cron