[TriLUG] ot: password protect a url with a querystring
Rick DeNatale
rick.denatale at gmail.com
Tue May 31 18:26:04 EDT 2005
On 5/31/05, Scott Lundgren <trilug at capitalfellow.com> wrote:
>
> I'm pretty sure I'm crazy but sometimes it's good to ask others just to
> make sure. I'm setting up awstats (http://awstats.sf.net) for a number of
> groups.
> I choose awstats because these groups are generally non-technical and
> awstats navigation when run as a cgi tested well for user-friendliness
> with them. As such a user would access their stats at:
>
> webstats.example.com/cgi-bin/awstats.pl?config=group1
> webstats.example.com/cgi-bin/awstats.pl?config=group2
> webstats.example.com/cgi-bin/awstats.pl?config=group3
> etc
>
> However each group could see each other's statistics simply by guessing
> and changing the query string. Ordinarily I would solve this by setting up
> a mod_rewrite to something like
>
> webstats.example.com/group1
>
> with an appropriate .htaccess file mapped to that now virtual location.
> However I'm not allowed to use mod_rewrite (long story).
>
> Is there another way that once I authenticate a user to a uRL like
>
> webstats.example.com/cgi-bin/awstats.pl
>
> I can prevent the group1 user from accessing
>
> webstats.example.com/cgi-bin/awstats.pl?config=group2
>
> thank you for the spare brain cells mine are done cooked,
Just off the top of my head, how about hiding awstats behind an outer
cgi shell which does the authentication on the parameters and then
calls awstat.pl if everything is copacetic.
As a matter of fact, couldn't you just write group1stats.pl which is
in the group1 directory (protected by .htaccess) which just invokes
awstats.pl adding the config=group1 parameter, and repeat for group2
through groupn
More information about the TriLUG
mailing list