Htaccess - protect a folder using a cookie?

Hi all,

Apologies to anyone who read the original version of this thread, I’ve had to change it due to getting a little further forward.

Basically i have a folder on my server that needs to be protected by a cookie.

[highlight=.htaccess]
<FilesMatch “\.(ico|pdf|flv|jpg|jpeg|png|gif|js|css|swf)(\.gz)?$”>
Header set Expires “Thu, 15 Apr 2020 20:00:00 GMT”
Header unset ETag
FileETag None
</FilesMatch>
<IfModule mod_setenvif.c>
<IfModule mod_headers.c>
BrowserMatch MSIE ie
Header set X-UA-Compatible “IE=Edge,chrome=1”
</IfModule>
</IfModule>

RewriteEngine on

RewriteCond %{REQUEST_URI} ^/folder(/.)
RewriteCond %{HTTP_COOKIE} !^gmvc=([0-9]
)$ [NC]
RewriteRule ^(.*)$ /login/1 [R=301,L]

RewriteCond $1 !^(index\.php|assets|folder)
RewriteRule ^(.*)$ /index.php/$1 [L]



When I go to /folder, the .htaccess redirects me to /login/1 as it should. After successfully logging in, I create a cookie called gmvc and redirect back to /folder

My problem is, that upon redirecting back to /folder, .htaccess then sends me back to /login/1 despite the cookie actually being created.

I'm really sorry for asking such a stupid question but I'm stuck and would really appreciate some help! 

Cheers

Gavin

Gavin,

It would have been better to have continued your former post (to retain that information in your request).

Expire in 9 years? Not changing anything at all, eh? IMHO, not a good idea!

Please use [noparse]

 ... 

[/noparse] to wrap your code as that makes the code easier to comment upon.

I find your use of the {HTTP_COOKIE} quite good and give kudos for that. However, the prior RewriteCond’s ^/folder is reserved for Apache 1.x (or a subdirectory’s subdirectory which I see is NOT the case from your regex), so I’m baffled as to why this works at all (unless you’re using Apache 1.x, obviously, although I thought they were extinct in the wild).

I’m also perplexed as to why you’d use Options MultiViews.

Okay, these do not constitute a response to your question as to why your code works once but not when a cookie is set. Can you confirm that it IS set (it cannot be once anything is sent to the browser by your index.php)?

Regards,

DK

Hi DK,

Unfortunately I wasn’t having one of my finest moments yesterday. I’m moving into a new house on Monday, so was meant to spending most of my Friday evening packing etc. Instead, I was at work, busting my nuts trying to figure this out…

Anyhoo… My biggest problem at first was Apache caching the rules. Whilst it’s a great feature once it’s all working, but whilst your trying to debug, having your old rules still exist even when you have removed them was rather annoying…

So much so, I simply renamed all the .htaccess files I was playing with so they wouldn’t work and went home…

When I got home, I took another look and finally cracked it.

I simply done the following instead:

/htdocs
/htdocs/.htaccess
/htdocs/folder
/htdocs/folder/.htaccess

In /htdocs/.htaccess, I put my MVC routing rules:

<FilesMatch "\\.(ico|pdf|flv|jpg|jpeg|png|gif|js|css|swf)(\\.gz)?$">
Header set Expires "Thu, 15 Apr 2020 20:00:00 GMT"
Header unset ETag
FileETag None
</FilesMatch>
<IfModule mod_setenvif.c>
  <IfModule mod_headers.c>
    BrowserMatch MSIE ie
    Header set X-UA-Compatible "IE=Edge,chrome=1"
  </IfModule>
</IfModule>

RewriteEngine on

RewriteCond $1 !^(index\\.php|assets|hypertension|apple-touch-icon\\.png|crossdomain\\.xml|favicon\\.ico|humans\\.txt|robots\\.txt)
RewriteRule ^(.*)$ /index.php/$1 [L]

then in /htdocs/folder/.htaccess, I put the following:

RewriteEngine on
RewriteCond %{HTTP_COOKIE} !gmvc=1 [NC]
RewriteRule ^(.*)$ /login/1 [R,L]

Now it all works perfectly. I didn’t realise you could actually get/set cookies and look at all other server information via mod_rewrite… It saved me having to wrap all the files i wanted to protect with PHP to check for sessions/cookies.

As for the 9 year’s comment :wink: I was trying to gzip/compress/speed up all of the assets for the site. When I ran YSlow, it advised what I needed to do and I done it.

To be honest, the site is a brochure site, so really, it won’t change at all. If anything, the only things that will change, are those not affected by the caching.

Thank you, if I were still ripping my hair out, I know you would have been the help I needed!

Gavin,

You’re very welcome … especially because it was nice to see another use (cookies - I prefer to let my $_SESSIONs set the cookies they need) and your use of two levels of .htaccess (one to revert back to the base level from the login (folder) subdirectory was a bit of logic I’ve not seen in years. Kudos to you!

Regards,

DK