tags:

views:

314

answers:

2
+1  Q: 

Perl: Get .htaccess status on the current folder

I have developed sort of a Server Explorer as a module for our web application, and it actually works great. I am doing some refinements to it and there is one problem I don't really know how to tackle.

The Explorer is mainly used to choose pictures from a specified folder and subfolders. As some schools are concerned with distribution of pictures outside of their establishment, we gave them an option to secure their pictures with .htaccess (actually over Web-Interface which in turn sets the .htaccess) if they want to.

When I try to access a folder which is protected by .htaccess, I am prompted a password for each and every picture inside that folder. It is worth noting that teachers tend to do 100+ pictures on every major event and like to cram it into one single folder, so it actually isn't rare that the browser opens up 100+ dialog Boxes.

We are running Perl in the backend so I thought that I could check if a given folder is protected or not before delivering the content to jQuery. Problem is, images can also be protected by a .htaccess from a parent folder.

Is there any secure way to check if an outsider can access these pictures (or files, to keep it generic and open for other uses) before giving out the pictures?

EDIT - Added .htaccess file
## OLEFA AUTH START ##
AuthType Basic
AuthName "192.168.1.120/resources/images/accesstest"
AuthUserFile /home/mike/workspace/olefa//resources/images/accesstest/.htpasswd
require valid-user
## OLEFA AUTH END ##

+1  A: 

An option you might want to explore is storing a non-image placeholder file in each directory and retrieving it before the images. If you fail to retrieve it, you don't do the image pull, and interpret this as meaning the directory is secured against this user. That way, you'll only get a single password dialog popping up, and if they have a valid username and password, the browser will remember it for the image retrievals.

chaos  2009-08-28 12:15:13
There might be a Problem on that, because jQuery return a success if JSON was loaded, independend of if the file is accessible or not. (JSON only delivers the links to the pages while jQuery actually tries to laod them). I was thinking of a way for Perl to find out if something isn't publicly available and if not, return a special parameter so jQuery can ask for credentials before trying to load any pictures (or at least not letting jQuery try to load the pictures or remove that folder altogether from the list).
Mike  2009-08-28 12:26:55
So don't go by whether jQuery returned a success; go by whether it retrieved known contents of the placeholder file (for example, the word "success").
chaos  2009-08-28 12:34:04
It's also possible that .htaccess contains <Files> directives which restrict specific sets of files, so unless the placeholder file is in that set the technique would break in that case, indicating access is permitted when in fact it is restricted.
Adam Bellaire  2009-08-28 13:09:19
I'll do it with a combination of what you proposed and a hack, by which I misuse the Apache Error Messages (401 and 200/404) to see if htaccess password was correct or not. Only then will the pictures be loaded in a second request.
Mike  2009-10-20 06:46:04
A: 

It sounds like you might be building layer-upon-layer of fix it code to a deficient design or process.

If you are getting the username-password dialog for every image from the same directory, I initially suspect:

  1. htaccess is somehow misconfigured. Can you show us what you have?
  2. The user-agent isn't sending the authorization header. Look at the HTTP requests to verify that you see an Authorization header. Also look at the response status. Is it 401 or 403?

If you are trying to access resources at different paths, are you using a different realm for every folder? The credentials only apply to the realm that presented the challenge. If you access another realm and you have to start over. How are you specifying that in your htaccess?

Some other things that could help us:

  • What sort of authentication are you using? Basic, Digest, something else?
  • Are you using a custom authorization handler?
brian d foy  2009-08-28 19:55:03
Updated: .htaccess is now in Question
Mike  2009-08-31 13:16:43

related questions

Which resolution to target for a Mobile App?
iPhone app that access the Core Location framework over web
Displaying version of underlying software in footer of web app?
How Did You Decide Between WISA and LAMP?
What strategies have you employed to improve web application performance?
What skills do you need for proper UI/Interaction/Functional design in Web Apps?
Storing logged in user details
How do you unit test web apps hosted remotely?
Broken chart images in Crystal Reports in web application
Best Way to Begin Learning Web Application Design
JRuby / Rack deployment
How to affordably release a Web App
Best practices for managing and deploying large javascript apps
Building Standalone Applications in JavaScript
iPhone web applications, templates, frameworks?
How do you stress test a web application?
RSS feeds from Gallery2
Recommendation for straight-forward python frameworks
Graphing JavaScript Library
What to use for login ID?
What's your opinion on using UUIDs as database row identifiers, particularly in web apps?
Implementing an online ordering system for a restaurant/cafe.
Web App Beta
What Hosting Service is best for Django applications?
How to make subdomain user accounts in a webapp