Rewrite rule security question
- From: Lars <sunberg@xxxxxxxxx>
- Date: Fri, 23 May 2008 13:26:08 +0200
Hello list!
I am working on a login system and I'm using htaccess for access
restrictions. I have a script that generates the htaccess file and I
think it is pretty secure but I want to have yours opinions
(so dont mind the generation of the file itself, only the rewrite rules).
I use ip restrictions, and cookie restrictions. I use standard php
session for generating and setting session cookie. The .htaccess file
generated looks like this:
#----------------------------------------------------------
RewriteEngine on
Order deny,allow
deny from all
allow from 80.80.80.80 90.90.90.90
RewriteRule .* - [E=REMOTE_USER:user1,E=PHP_AUTH_USER:user1,C]
RewriteCond %{HTTP_COOKIE} !^.*PHPSESSID=aaaabbbbcccdddeeefff111222333.*$
RewriteRule .* - [E=REMOTE_USER:user2,E=PHP_AUTH_USER:user2,C]
RewriteCond %{HTTP_COOKIE} !^.*PHPSESSID=9999888777666555444332211aabb.*$
RewriteRule .*$ - [F]
ErrorDocument 403 /index.php?error403
ErrorDocument 404 /index.php?error404
#----------------------------------------------------------
Is this a secure way of doing this? Is there anything I can do
different or more secure? The REMOTE_USER and PHP_AUTH_USER variables
is set for faking apache auth, to create an SSO solution.
In front thanks,
Lars
- Prev by Date: PCI: DSS
- Next by Date: trusted computing and virtualization
- Previous by thread: PCI: DSS
- Next by thread: trusted computing and virtualization
- Index(es):
Relevant Pages
|
|
