17
votes

been searching for 2 days and can't quite get the right solution due to my lack of understanding of mod_rewrite and time constraints on this project so hoping someone can help.

The aim

To rewrite all requests to the root index.php if the client doesn't have the correct cookie. If the client has the correct cookie allow them to browse as they wish.

The problem

The htaccess in my subdirectory is taking precendence over my root htaccess, so requests such as www.mydomain.com/subdir/index.php arn't getting redirected.

My root .htaccess

Options FollowSymLinks
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_COOKIE} !^.*pass.*$ 
RewriteCond %{REQUEST_URI} !^/index.php$
RewriteRule ^(.*)$ http://www.mydomain.com/index.php?url=$0 [NC]

My subdir htaccess

RewriteEngine On
RewriteBase /
RewriteCond $1 !\.(gif|jpe?g|png)$ [NC]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ /index.php?/$1 [L]

Additional info

Ideally I'm trying to create a password protected area, so all requests are routed to index.php where a password can be entered and when verified a cookie is created, allowing free browsing of contents and sub directories. So if there is a better way to accomplish this then please let me know, and I havn't gone for .htpasswd since I need custom login, error and splash pages.

Also, the subdir .htaccess is an ExpressionEngine URL handler.

Thanks.

1
Regardless of how you fix this, checking for the presence of a cookie is NOT good security. It's trivial to fake one, and since you're not validating the data in the cookie, just checking for its presence), your "security" system is trivial to bypass.Marc B
@Abe just a suggestion but have you thought about implementing HTTP authentication, if your only looking to allow access to directorys: uk.php.net/manual/en/features.http-auth.phpLawrence Cherone

1 Answers

29
votes

To allow execution of rewrite rules from parent .htaccess (htaccess from parent folder), you need to explicitly allow it (Apache will treat rewrite rules in current .htaccess as the only one that need to be executed, as long as rewritten URL remains in the same subfolder).

You need to add this line to your .htaccess in sub-folder:

RewriteOptions inherit

Apache manual: http://httpd.apache.org/docs/current/mod/mod_rewrite.html#rewriteoptions