.htaccess prevents itself from being viewed but not "sess*" files in directory
This is a discussion on .htaccess prevents itself from being viewed but not "sess*" files in directory within the Apache Web Server forums, part of the Web Server and Related Forums category; phillip.s.powell@gmail.com wrote: > HansH wrote: > > <phillip.s.powell@gmail.com> schreef in ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
12-08-2006
|
|||
|
|||
Re: .htaccess prevents itself from being viewed but not "sess*" files in directory
phillip.s.powell@gmail.com wrote: > HansH wrote: > > <phillip.s.powell@gmail.com> schreef in bericht > > news:1165529250.835286.151950@l12g2000cwl.googlegr oups.com... > > > What I tried doing was this, out of desparation: > > > > > > <Files> > > > order allow,deny > > > deny from all > > > </Files> > > What files are to be denied without specifying a filename ?? > > Test for me > > <Files ~ "."> > > Sorry I tried that and the session files are still viewable via > browser: > > <Files ~ "."> > order allow,deny > deny from all > </Files> > > > > > > And even then all session files were still viewable. That's when I > > > concluded perhaps it is due to the nature of how PHP names its session > > > files (no PHP session file has any extension, just a name), > > Thinking name-dot-extention ... is a MicroSoft doctrine. > > > > > > BTW your sess* files are at the document_root ...??? > > If not, try > > <Location /<folder>/> > > order allow,deny > > deny from all > > > > Sorry that also failed; the session files are easily viewable via > browser :( > > <Location /path/to/session/files> > order allow,deny > deny from all > </Location> > > > > HansH > > </Location> since were talking silly land solutions here for a silly setup, why not just use a rewrite for all files starting sess_ and ending with 32 chars the rewrite could rewrite to a "dev/null" script. why not use allow,deny and allow for localhost no one else. or basic auth, for all but localhost. i know it shouldnt be needed, but I only mention it cos everyones going for the regular solutions and they arent working, meanwhile your users are unprotected, and maybe your apps, and server! |
|
12-08-2006
|
|||
|
|||
|
Re: .htaccess prevents itself from being viewed but not "sess*" files in directory
<phillip.s.powell@gmail.com> schreef in bericht
news:1165595006.771399.176320@l12g2000cwl.googlegr oups.com... > <Location /path/to/session/files> If /path/to/session/files is a local path, use Directory The full path shown may very per ftp, http and php, depending on the extend of chroot-ing > order allow,deny > deny from all > </Location> Final attempt: put an index.html in the folder containing those pesky sess* files HansH |
|
12-08-2006
|
|||
|
|||
|
Re: .htaccess prevents itself from being viewed but not "sess*" files in directory
HansH wrote: > <phillip.s.powell@gmail.com> schreef in bericht > news:1165595006.771399.176320@l12g2000cwl.googlegr oups.com... > > <Location /path/to/session/files> > If /path/to/session/files is a local path, use Directory > The full path shown may very per ftp, http and php, depending on the extend > of chroot-ing > > > order allow,deny > > deny from all > > </Location> > > Final attempt: put an index.html in the folder containing those pesky sess* > files Yeah <Directory /path/to/session/files> failed too, sorry, but the session files are clearly visible. I gave up and put in a blank index.html and will hope for the best. Phil > > HansH |
Linear Mode
