|
Home > Archive > Web Servers on Unix and Linux > March 2004 > how to time limit folder access?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
how to time limit folder access?
|
|
| Geoff Cox 2004-03-03, 4:35 am |
| Hello
I would like to be able to time limit user access to a folder ... any
ideas on how to do this? can .htaccess etc be used?
Cheers
Geoff
| |
| Michael Vilain 2004-03-03, 1:37 pm |
| In article <fg8b40dj3bof6uk7n4go1bdp22j74sonfq@4ax.com>,
Geoff Cox <geoffacox@dontspamblueyonder.co.uk> wrote:
> I would like to be able to time limit user access to a folder ... any
> ideas on how to do this? can .htaccess etc be used?
This has been asked elsewhere. Basically, you'll need to be 'creative'
about it. Apache (assuming you're using that server) doesn't do this.
Suggestions from the last time this came up were to control access to a
_directory_ through a CGI script. Either use the date/time stamp on the
folder or a database to restrict when people can gain access. .htaccess
would be used to restrict all access from the browser, but a CGI script
would gain you access however you set it up.
--
DeeDee, don't press that button! DeeDee! NO! Dee...
| |
| Barry Margolin 2004-03-03, 1:37 pm |
| In article <fg8b40dj3bof6uk7n4go1bdp22j74sonfq@4ax.com>,
Geoff Cox <geoffacox@dontspamblueyonder.co.uk> wrote:
> Hello
>
> I would like to be able to time limit user access to a folder ... any
> ideas on how to do this? can .htaccess etc be used?
I'm reading this in comp.unix.admin, but I assume from your
cross-posting to comp.infosystems.www.servers.unix, and mention of
..htaccess, that you're only concerned about web access, not access from
ordinary users.
You can use a cron job that replaces .htaccess at different times of day.
--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
| |
| Geoff Cox 2004-03-03, 4:37 pm |
| On Wed, 03 Mar 2004 13:18:16 -0500, Barry Margolin
<barmar@alum.mit.edu> wrote:
>In article <fg8b40dj3bof6uk7n4go1bdp22j74sonfq@4ax.com>,
> Geoff Cox <geoffacox@dontspamblueyonder.co.uk> wrote:
>
>
>I'm reading this in comp.unix.admin, but I assume from your
>cross-posting to comp.infosystems.www.servers.unix, and mention of
>.htaccess, that you're only concerned about web access, not access from
>ordinary users.
>
>You can use a cron job that replaces .htaccess at different times of day.
Barry
Yes, should have said, this is for web access.
Re the cron job, how would this work? Would the .htpasswd file be
replaced by a new version, with a new uid/password combination in it,
say every hour? If so, this would allow users to keep "coming back for
more". I suppose it is difficult to prevent this?
Can you point me at any info re how cron is set up?
Cheers
Geoff
| |
| Geoff Cox 2004-03-03, 4:37 pm |
| On Wed, 03 Mar 2004 10:17:29 -0800, "Michael Vilain
<vilain@spamcop.net>" wrote:
>In article <fg8b40dj3bof6uk7n4go1bdp22j74sonfq@4ax.com>,
> Geoff Cox <geoffacox@dontspamblueyonder.co.uk> wrote:
>
>
>This has been asked elsewhere. Basically, you'll need to be 'creative'
>about it. Apache (assuming you're using that server) doesn't do this.
>Suggestions from the last time this came up were to control access to a
>_directory_ through a CGI script. Either use the date/time stamp on the
>folder or a database to restrict when people can gain access. .htaccess
>would be used to restrict all access from the browser, but a CGI script
>would gain you access however you set it up.
Michael,
Thanks for your reply.
How would access be controlled if .htaccess is not used?
Cheers
Geoff
| |
| Barry Margolin 2004-03-03, 5:37 pm |
| In article <qpic40h0u0bktbhkls4no750qs3je6l6h5@4ax.com>,
Geoff Cox <geoffacox@dontspamblueyonder.co.uk> wrote:
> Re the cron job, how would this work? Would the .htpasswd file be
> replaced by a new version, with a new uid/password combination in it,
> say every hour? If so, this would allow users to keep "coming back for
> more". I suppose it is difficult to prevent this?
I misunderstood what you wanted. I thought you wanted to limit the
times of day that the directories could be accessed, not the duration of
time.
--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
| |
| Michael Vilain 2004-03-03, 5:37 pm |
| In article <e2jc40lt86n6lk1ffrcbrmhqkpp04jbr9e@4ax.com>,
Geoff Cox <geoffacox@dontspamblueyonder.co.uk> wrote:
> On Wed, 03 Mar 2004 10:17:29 -0800, "Michael Vilain
> <vilain@spamcop.net>" wrote:
>
>
> How would access be controlled if .htaccess is not used?
As I said above, through a CGI script. The directory would not be
accessable through the web server or in it's directory tree (be sure to
setup Apache to prevent someone from seeing the top of your directory
tree).
How to code this is dependent on the CGI programmer and any
specification you give them. If you define what the process is that's
creating this requirement and map it out, then give that to the
programmer, they should be able to take it from there.
Alternately, php could be used to access the directory directly from a
web page.
[notice I'm not giving you the answer in case this is some sort of
homework assignment. Try googling for past discussions to get further
information]
If writing CGI scripts is beyond you, there are O'Reiley books that are
very good for this purpose (http://www.oreilly.com/catalog/cgi2/).
Good luck
--
DeeDee, don't press that button! DeeDee! NO! Dee...
| |
| Geoff Cox 2004-03-03, 7:36 pm |
| On Wed, 03 Mar 2004 14:25:35 -0800, "Michael Vilain
<vilain@spamcop.net>" wrote:
>[notice I'm not giving you the answer in case this is some sort of
>homework assignment. Try googling for past discussions to get further
>information]
Hey! I'm 63 years old and this is not homework! Except that it is work
I am doing at home!
Feel free to give me all the help you can! I can write PERL and php
scripts. My unix skills are not all that great so am not too sure
about using cron or at. The web server is not my own, but I do have
telnet access...
Cheers
Geoff
>
>If writing CGI scripts is beyond you, there are O'Reiley books that are
>very good for this purpose (http://www.oreilly.com/catalog/cgi2/).
>
>Good luck
| |
| Geoff Cox 2004-03-03, 7:36 pm |
| On Wed, 03 Mar 2004 16:54:27 -0500, Barry Margolin
<barmar@alum.mit.edu> wrote:
>In article <qpic40h0u0bktbhkls4no750qs3je6l6h5@4ax.com>,
> Geoff Cox <geoffacox@dontspamblueyonder.co.uk> wrote:
>
>
>I misunderstood what you wanted. I thought you wanted to limit the
>times of day that the directories could be accessed, not the duration of
>time.
Barry,
Ah ... No, the idea is to give prospective users of the web site an
idea of what is available, before they subscribe to it, so I was
thinking that they might have say one hour's access. I am trying to
avoid the hassle of "manually" giving out user ids and passwords...
Cheers
Geoff
| |
| Nick Kew 2004-03-04, 7:36 am |
| In article <birc405df0kbu8uvpe5oecojab6trmpks3@4ax.com>,
Geoff Cox <geoffacox@dontspamblueyonder.co.uk> writes:
> Ah ... No, the idea is to give prospective users of the web site an
> idea of what is available, before they subscribe to it, so I was
> thinking that they might have say one hour's access.
Oh, that's easy. Use an SQL-based authentication scheme, with
a "where time < [subscribe_time + duration]" clause. For example,
I offer subscription with builtin expiry using mod_auth_pgsql.
--
Nick Kew
| |
| Geoff Cox 2004-03-04, 10:37 am |
| On Thu, 4 Mar 2004 10:38:29 +0000, nick@hugin.webthing.com (Nick Kew)
wrote:
>In article <birc405df0kbu8uvpe5oecojab6trmpks3@4ax.com>,
> Geoff Cox <geoffacox@dontspamblueyonder.co.uk> writes:
>
>
>Oh, that's easy. Use an SQL-based authentication scheme, with
>a "where time < [subscribe_time + duration]" clause. For example,
>I offer subscription with builtin expiry using mod_auth_pgsql.
Nick
Is it possible to do this with mysql do you know?
Cheers
Geoff
| |
| Michael Vilain 2004-03-04, 11:37 am |
| In article <tjge405gvv725ulr4k1s8p4ms67o115l7c@4ax.com>,
Geoff Cox <geoffacox@dontspamblueyonder.co.uk> wrote:
> On Thu, 4 Mar 2004 10:38:29 +0000, nick@hugin.webthing.com (Nick Kew)
> wrote:
>
[color=darkred]
> Is it possible to do this with mysql do you know?
>
You could limit access to that directory and all pages in it by putting
PHP code at the beginning of each page that performs authorization using
whatever scheme you want--flat file, MySQL, postgres, Oracle--so long as
there are routines to obtain the password and other information from a
database table in PHP. This would be the easiest to implement other
than access soley through a CGI script.
Trial users would click a "Try It" button and their browser signature+IP
address could be added to a database as a key with the expiration time
as the value returned. Repeat trips to the pages would check the same
browser+IP for the expiration time. If it's passed, then don't allow
them into the protected area. Members would be assigned a username and
password that would be used instead as the key / value to authenticate.
If you use a CGI script, you'll have to do all the file display. If you
use PHP, each file must have a header that does this sort of
authentication.
You seem to be struggling with this idea. Have you tried hiring a
college student to help you map this out? Seems it might shorten your
implementation time, unless this is a hobby/"I want to do it myself"
sort of thing.
In any case, good luck.
--
DeeDee, don't press that button! DeeDee! NO! Dee...
| |
| Geoff Cox 2004-03-04, 12:36 pm |
| On Thu, 04 Mar 2004 08:03:09 -0800, "Michael Vilain
<vilain@spamcop.net>" wrote:
>You could limit access to that directory and all pages in it by putting
>PHP code at the beginning of each page that performs authorization using
>whatever scheme you want--flat file, MySQL, postgres, Oracle--so long as
>there are routines to obtain the password and other information from a
>database table in PHP. This would be the easiest to implement other
>than access soley through a CGI script.
>
>Trial users would click a "Try It" button and their browser signature+IP
>address could be added to a database as a key with the expiration time
>as the value returned. Repeat trips to the pages would check the same
>browser+IP for the expiration time. If it's passed, then don't allow
>them into the protected area. Members would be assigned a username and
>password that would be used instead as the key / value to authenticate.
>If you use a CGI script, you'll have to do all the file display. If you
>use PHP, each file must have a header that does this sort of
>authentication.
>
>You seem to be struggling with this idea. Have you tried hiring a
>college student to help you map this out? Seems it might shorten your
>implementation time, unless this is a hobby/"I want to do it myself"
>sort of thing.
Michael
yes the latter!
Cheers
Geoff
>In any case, good luck.
| |
|
| Geoff Cox wrote:
[color=darkred]
> On Thu, 04 Mar 2004 08:03:09 -0800, "Michael Vilain
> <vilain@spamcop.net>" wrote:
>
But, afaik, this will not stop people from accessing content other than php
(such as images) directly. Even if var/www/gallery1.php has password
protection, there is nothing stoping someone leeching var/www/images/.
| |
| Nick Kew 2004-03-04, 7:35 pm |
| In article <vilain-37A7A9.08030904032004@comcast.ash.giganews.com>,
"Michael Vilain <vilain@spamcop.net>" writes:
I should think so. It's probably implemented in mod_auth_mysql, but
I don't know.
[color=darkred]
> You could limit access to that directory and all pages in it by putting
> php code at the beginning of each page that performs authorization using
Well, you could, but it's inefficient, and throws away Apache's capabilities.
> Trial users would click a "Try It" button and their browser signature+IP
> address could be added to a database as a key with the expiration time
That would be deeply broken, for reasons that are regularly repeated here.
A cookie would be better, though by no means foolproof.
--
Nick Kew
| |
| Geoff Cox 2004-03-05, 12:37 pm |
| On Thu, 4 Mar 2004 20:29:33 +0000, nick@hugin.webthing.com (Nick Kew)
wrote:
>In article <vilain-37A7A9.08030904032004@comcast.ash.giganews.com>,
> "Michael Vilain <vilain@spamcop.net>" writes:
>
>
>I should think so. It's probably implemented in mod_auth_mysql, but
>I don't know.
>
>
>Well, you could, but it's inefficient, and throws away Apache's capabilities.
>
>
>That would be deeply broken, for reasons that are regularly repeated here.
>A cookie would be better, though by no means foolproof.
Nick
just a thought - people have various suggestions re this acess time
limit but I do not get the feeling that anyone is doing this?! It
would be nice to come across steps 1 - 10 on how it can be done!
Cheers
Geoff
|
|
|
|
|