Hello all,
I'm using a cgi script to produce a kind of private journal, accessible by a team only. This journal is accessible trhough URL rewrite and its directory is htpasswd protected... But anyone who access it sending a direct request to the CGI script can (it seems) workaround the protection and see the journal's content
How to avoid this ?
Here are details of the installation :
To avoid unfriendly URL like (the script being in a sub-directory because it generates some files about stats and cache beside), I've placed an htaccess with URL rewrite in the public root. This way, the team can access the journal's notes at
Here is the content of this httpdocs/.htaccess :
About protection, there I've placed a .htaccess file implementing a .htpasswd one. The htaccess file is in the directory which contains the journal's notes. Here is its content :
So, if a visitor access the site at it's well redirected to journal.cgi and the credentials box is well displayed (the user has to be a member to see the journal).
But, if a visitor call directly it seems that the htpasswd is bypassed (in fact, the password box is displayed but, in background the journal is displayed anyway) and everyone can see the journal((
So, how to avoid this ? Is there a way to avoid direct access to ?
Hoping in your lighted advice
I'm using a cgi script to produce a kind of private journal, accessible by a team only. This journal is accessible trhough URL rewrite and its directory is htpasswd protected... But anyone who access it sending a direct request to the CGI script can (it seems) workaround the protection and see the journal's content
How to avoid this ?Here are details of the installation :
To avoid unfriendly URL like (the script being in a sub-directory because it generates some files about stats and cache beside), I've placed an htaccess with URL rewrite in the public root. This way, the team can access the journal's notes at
Here is the content of this httpdocs/.htaccess :
Code:
RewriteEngine on
RewriteRule ^journal/?(.*)$ /cgi-bin/journal/journal.cgi/$1About protection, there I've placed a .htaccess file implementing a .htpasswd one. The htaccess file is in the directory which contains the journal's notes. Here is its content :
Code:
AuthUserFile /etc/httpd/conf/.htpasswd-for-journal
AuthGroupFile /dev/null
AuthName "for Team Only"
AuthType Basic
require valid-userSo, if a visitor access the site at it's well redirected to journal.cgi and the credentials box is well displayed (the user has to be a member to see the journal).
But, if a visitor call directly it seems that the htpasswd is bypassed (in fact, the password box is displayed but, in background the journal is displayed anyway) and everyone can see the journal
((So, how to avoid this ? Is there a way to avoid direct access to ?
Hoping in your lighted advice
