2

I've "secured" my site using CGI:Session but my webserver has an alias directory that points outside the document root and contains files

    Alias /files /myData/all
<Directory /myData/all >
    Options Indexes MultiViews
     AllowOverride None
     Order deny,allow
     Allow from all
</Directory>

how can I link the directory to my cgi:session so that it's secure? How would Apache know if the user has a valid cookie and allow them access to /files

similar question:Using PHP/Apache to restrict access to static files (html, css, img, etc)

Community
  • 1
  • 1
Jabda
  • 1,752
  • 5
  • 26
  • 54

1 Answers1

1

You didn't secure your 'site'.

When visitors load your perl script(s) - however you've arranged to do that in Apache - your script reads their sent cookies, find the one it's interested in, looks that up in its session store (might be a DB_File archive on disk) and attempts to load a "session" from the store.

It's your decision what to do from there; you're probably telling the visitor to log in if there's no session, and otherwise showing (the logged in user) privileged parts of your 'site' (possibly including a 'logout' option which destroys the session store for that logged in user).

For that other folder to be 'protected' you'll need to serve it using another perl script. Either by:

  • a) rewriting requests, or
  • b) writing a mod_perl authentication handler which recognises the session store
  • c) changing your session module to one that is integrated better with Apache

Not sure how up-to-date it is, but Apache::SessionManager appears to offer a session API that's accessible from both your perl code and as an Apache authentication hander -- exactly what you asked for, IMHO, except that it's not CGI::Session doing the implementation - i.e: option c) above.

David-SkyMesh
  • 5,041
  • 1
  • 31
  • 38
  • how would a rewrite work in this case? I am open to changing my implementation – Jabda Jan 03 '14 at 15:42
  • In a) above, I mean use `mod_rewrite` to alter requests for `/some-path/filename` to `/other-path/your-script.cgi?file=filename`. Then you just do the same authentication in `your-script.cgi` as in the rest of your site. On success, set the appropriate `Content-type:` and `Content-disposition:` headers before printing the file contents itself. On failure, 302-redirect to your login page. You should probably make the folder containing the files inaccessible via Apache directives. Also, you might wish to hide what's going on by using `mod_proxy` instead of `mod_rewrite` for the initial request. – David-SkyMesh Jan 04 '14 at 07:09
  • This does work, but is there any way to make the entire folder accessible. Maybe if your-script.cgi authenticates correctly it redirects you to /some-path/. – Jabda Jan 09 '14 at 18:39
  • 1
    Read the documentation for Apache::SessionManager, it's an Apache auth handler. You can combine it with ``. – David-SkyMesh Jan 10 '14 at 00:49