Thread: .htaccess prevents itself from being viewed but not "sess*" files in directory
View Single Post

  #6 (permalink)  
Old 12-07-2006
phillip.s.powell@gmail.com
 
Posts: n/a
Default Re: .htaccess prevents itself from being viewed but not "sess*" files in directory
HansH wrote:
> <phillip.s.powell@gmail.com> schreef in bericht
> news:1165360511.201238.220110@l12g2000cwl.googlegr oups.com...
> > <Directory />
> > Options -Indexes
> > </Directory>
> >
> > <Files ~ "^\.ht">
> > order allow,deny
> > deny from all
> > </Files>
> Odd you have do set this yourself, should be in httpd.conf.
>
> > <Files ~ "^sess[a-zA-Z0-9\-_\.]*$">
> Try <Files ~ "^sess[a-zA-Z0-9\-_,]*$">
> See 'session.hash_bits_per_character' at
> http://www.php.net/manual/en/ref.session.php
>
> > order allow,deny
> > deny from all
> > </Files>
>

What I tried doing was this, out of desparation:

<Files>
order allow,deny
deny from all
</Files>

And even then all session files were still viewable. That's when I
concluded perhaps it is due to the nature of how PHP names its session
files (no PHP session file has any extension, just a name), and that's
perhaps why it is not even recognized, just perhaps, as a file in the
first place and thus, isn't filtered by the Files directive and remains
viewable in spite of the directory global restriction

Phil

> > This is designed to prevent itself, all files beginning with "sess" and
> > the directory listing from being viewed.
> Your session.save_path in php.ini should be set _outside_ the document tree
>
> HansH