admin管理员组

文章数量:1130349

On a members only site logged in members can access the files in the uploads folder, if not logged in they are redirected to the login screen. I'm using the following in the .htaccess file to do that:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(www\.)?http://example\/ [NC]
RewriteCond %{REQUEST_URI} !hotlink\.(doc|xls|pdf|html|htm|xlsx|docx|mp4|mov|rtf|ppt|pptx) [NC]
RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in.*$ [NC]
RewriteRule .*\.(doc|xls|pdf|html|htm|xlsx|docx|mp4|mov|rtf|ppt|pptx)$ / [NC]
</IfModule>
# END WordPress

This works great, but I now have a scenario where I need to allow some files from the uploads directory to be accessible to anybody, these files will always be linked to from the home page.

Is there a way I can do this using the file name? Maybe only allowing access to files that are prepended with public_ for example?

Any other ideas about how to solve this?

Cheers

On a members only site logged in members can access the files in the uploads folder, if not logged in they are redirected to the login screen. I'm using the following in the .htaccess file to do that:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(www\.)?http://example\/ [NC]
RewriteCond %{REQUEST_URI} !hotlink\.(doc|xls|pdf|html|htm|xlsx|docx|mp4|mov|rtf|ppt|pptx) [NC]
RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in.*$ [NC]
RewriteRule .*\.(doc|xls|pdf|html|htm|xlsx|docx|mp4|mov|rtf|ppt|pptx)$ http://example/member-login/ [NC]
</IfModule>
# END WordPress

This works great, but I now have a scenario where I need to allow some files from the uploads directory to be accessible to anybody, these files will always be linked to from the home page.

Is there a way I can do this using the file name? Maybe only allowing access to files that are prepended with public_ for example?

Any other ideas about how to solve this?

Cheers

  • uploads
  • htaccess
  • mod-rewrite
Share Improve this question edited Dec 12, 2016 at 19:45 leanda asked Dec 12, 2016 at 19:37 leandaleanda 1377 bronze badges
Add a comment  | 

1 Answer 1

Reset to default 1

This actually does not work great at all as the existence of the cookie does not indicate that the user is logged in, or even that he was ever logged in. All it indicates is that someone somehow set that cookie. To know that the user accessing the file is actually logged in or ever was, you need to actually validate the content of the cookie something that you cannot do in .htaccess.

Granted, that is good enough for probably 95% of the use cases, but if you "hide" something that might be worth "money," you should rethink it.

In theory, the right solution is to avoid putting private information into the uploads directory, and have only public info there. The private info you serve from a URL you define in WordPress, for example a specific page, or with a special rewrite rule, after you check the credentials of the user.

For inspiration, you can look at how the EDD plugin serves its file to people that paid for them.y

On a members only site logged in members can access the files in the uploads folder, if not logged in they are redirected to the login screen. I'm using the following in the .htaccess file to do that:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(www\.)?http://example\/ [NC]
RewriteCond %{REQUEST_URI} !hotlink\.(doc|xls|pdf|html|htm|xlsx|docx|mp4|mov|rtf|ppt|pptx) [NC]
RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in.*$ [NC]
RewriteRule .*\.(doc|xls|pdf|html|htm|xlsx|docx|mp4|mov|rtf|ppt|pptx)$ / [NC]
</IfModule>
# END WordPress

This works great, but I now have a scenario where I need to allow some files from the uploads directory to be accessible to anybody, these files will always be linked to from the home page.

Is there a way I can do this using the file name? Maybe only allowing access to files that are prepended with public_ for example?

Any other ideas about how to solve this?

Cheers

On a members only site logged in members can access the files in the uploads folder, if not logged in they are redirected to the login screen. I'm using the following in the .htaccess file to do that:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(www\.)?http://example\/ [NC]
RewriteCond %{REQUEST_URI} !hotlink\.(doc|xls|pdf|html|htm|xlsx|docx|mp4|mov|rtf|ppt|pptx) [NC]
RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in.*$ [NC]
RewriteRule .*\.(doc|xls|pdf|html|htm|xlsx|docx|mp4|mov|rtf|ppt|pptx)$ http://example/member-login/ [NC]
</IfModule>
# END WordPress

This works great, but I now have a scenario where I need to allow some files from the uploads directory to be accessible to anybody, these files will always be linked to from the home page.

Is there a way I can do this using the file name? Maybe only allowing access to files that are prepended with public_ for example?

Any other ideas about how to solve this?

Cheers

  • uploads
  • htaccess
  • mod-rewrite
Share Improve this question edited Dec 12, 2016 at 19:45 leanda asked Dec 12, 2016 at 19:37 leandaleanda 1377 bronze badges
Add a comment  | 

1 Answer 1

Reset to default 1

This actually does not work great at all as the existence of the cookie does not indicate that the user is logged in, or even that he was ever logged in. All it indicates is that someone somehow set that cookie. To know that the user accessing the file is actually logged in or ever was, you need to actually validate the content of the cookie something that you cannot do in .htaccess.

Granted, that is good enough for probably 95% of the use cases, but if you "hide" something that might be worth "money," you should rethink it.

In theory, the right solution is to avoid putting private information into the uploads directory, and have only public info there. The private info you serve from a URL you define in WordPress, for example a specific page, or with a special rewrite rule, after you check the credentials of the user.

For inspiration, you can look at how the EDD plugin serves its file to people that paid for them.y

本文标签: htaccessDeny access to uploads folder with exceptions

版权声明:本文标题:htaccess - Deny access to uploads folder with exceptions 内容由热心网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:https://it.en369.cn/questions/1749154300a2324351.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。