We have some applications up and running. We have implemented an Access Control List (ACL) in order to control, which users can do what (guests included). And here is the trouble:
Whenever we disallow a guest to see something, the usual procedure for our software is to set a .htaccess and copy users/passwords from the ACL to the .htaccess/.htpasswd. It worked like that for many years and offered a good protection against unauthorized access.
Of course, with today's standards set by Facebook and co., the idea of a password-proteced folder via .htaccess has died down and our clients/users are very annoyed by the constant password-nagging. To adress that issue, I have thought of something but I don't know if it would work in the real world. That's why I ask you guys.
What I want to do is, use an .htaccess to disallow all access from unknown domains. The only domain that has direct access to the files come from our own domain. With that rule, I can block any access from outside. Now, we update/rewrite certain parts of the software to control file access by itself instead of relying on a .htaccess that was set by another procedure.
My idea is that, if only our own (or the client/users) domain is allowed to access the file (ergo. our software) we can protect content from guests and/or other users without relying on .htaccess-passwords.
What are your thoughts about this?