1

Please could I request for your advise on the following problem:

I'd like to restrict access to a web folder through the Web URL (I understand that this could be done using .htaccess). However, my concern is that I'd also like the code files in this folder to be accessible to AJAX calls.

Reference question: deny direct access to a folder and file by htaccess

Is it therefore correct to assume that any access allow/deny rule in .htaccess is automatically applicable to AJAX calls as well (since they're based on URLs)? And if so, what could be the best way to let the server access mechanism know that it's some "code" that is trying to communicate with it?

Please do let me know if I could provide any clarifications or additional details. Thanks a lot!

4

2 回答 2

2

你可以这样做HTTP_REFERER,把这段代码放在你的DOCUMENT_ROOT/.htaccess文件中::

RewriteEngine On

## disable direct access
RewriteCond %{HTTP_REFERER} !^$ 
RewriteCond %{HTTP_REFERER} !^http://(www\.)?domain\.com/ [NC] 
RewriteRule ^somefolder - [F,NC]

虽然我必须补充一点,HTTP_REFERER基于检查不是很强大,而且很容易被欺骗。

于 2013-10-28T18:31:36.410 回答
1

您应该实现基于会话的身份验证机制。

  1. 在您的应用程序中,用户登录。
  2. 在您的 ajax 文件中,您测试用户是否已通过身份验证,如果没有,则返回一个403 Forbidden标头。

您还可以使用 ajax 发送自定义标头,并在您的 ajax 文件中进行测试,或者使用.htaccess(如果存在)进行测试。但这不如身份验证安全,因为有人可以伪造请求。

于 2013-10-28T18:32:38.667 回答