I currently have a landing page setup on my domain.com which already receives traffic.
It will shortly be replaced with an online store. I need to upload this store to my live server in order to get it approved by the Merchant Facility Providers (MFP), and they require it to be accessible from it's final live location on domain.com in order to get approvals. I can't have users access this site until it has met approvals.
To accomplish this I wish to redirect all domain.com traffic to domain.com/holding/ except for MFP visitors.
Ideally this would be restricted by IP address, however MFP say they will need to grant a number of external parties access, and so IP address based access will not be acceptable and I should use passwords.
So my question is, how can I automatically redirect all traffic from domain.com to the holding page domain.com/holding/ unless they have logged in using a password at domain.com/login?
Users visiting the domain.com should not be asked for a password.
Will this be possible using just .htaccess/.htpasswd?
If so, can someone suggest how the logic of how it could work?
It's not possible using just an .htaccess file as all visitors would be presented with an HTTP standard authentication dialog if you enabled it on your domain.com site at the doc_root level.
Without knowing what scripting language you're using? (you've not indicated in the tags, just apache), but you could provide one index page that both acts as a landing page for users/potential-users as well as provide a login (username/password form) for MFP parties (wherever they may come from).
That way, you fulfil both needs without offending or discriminating in any way against any party.
As #nickhar has pointed out, there appears to be no way of doing this using just .htaccess.
My solution was to use a rewrite rule to redirect all requests from domain.com to domain.com/holding unless a specific cookie was set (checked for using RewriteCond %{HTTP_COOKIE}).
I set this cookie in a php script on domain.com/login, which was password protected using .htaccess/.htpasswd.
This is by no means a particularly secure solution, but is adequate for my purposes of keeping the site hidden from general traffic while the approval process is completed.
Related
Basically if somebody is already on an HTTPS page, I don't want them to be capable of being redirected to/accidentally clicking an HTTP one (on the same site at least). It seems to me like you would use the referer as a RewriteCond to accomplish this, except for the fact that it is apparently browser policy not to send referers when going from HTTPS pages to HTTP ones. So if a user loads an HTTP page, how can I detect if they came from an HTTPS one and make sure they are redirected to the secure version of the page they are trying to access?
Unfortunately the software we are using has many hardcoded HTTP links so it is necessary to use some sort of redirection.
I have two question to which I can't seem to find clear answers.
(1) I have GA tracking set-up for my domain.com.
(2) I also have the same tracking code set in the <head> of some other subdomains: sub1.domain.com, sub2.domain.com, etc.
(3) The subdomains are protected with Apache's basic auth which requires to provide a username and a password to access them.
Questions:
Does GA automatically tracks traffic from subdomains?
Is it possible that GA still sends calls from auth-protected
subdomains?
Thank you!
While you have to set a domain name in the configuration tracking is not limited to that domain; Google Analytics tracks traffic from every domain with the given account id, be it domains and subdomains or different domains (except that sessions are interrupted if the user switches between domains unless you have set up cross domain tracking). So that is a yes, subdomains will be tracked.
Basic Auth prevents people from accessing your site, it does not prevent your site from accessing urls on the internet. The call to Googles tracking server is, at the end of the day, simply a call to some url. So yes, Google will still send calls from auth-protected (sub-)domains.
Can someone please help me to find a solution to maintaining the session across subdomains.
The site uses fake subdomains for users, eg. (thisuser.mysite.com/). All the fake subdomains map to the main site (mysite.com) so there's a common database for everything.
The subdomains are used only for a couple of components(com_xxx) on the site. for other components the user is redirected to the main site via htaaccess.
The problem is when a user is redirected to mysite.com from thisuser.mysite.com and vice versa. Their session is not maintained. The user has to login back again.
I have tried updating the cookie domain in php.ini to '.mysite.com' but it doesnt seem to help.
Is it possible that the site may have auto-logins across all subdomains and main domain without any core hacks, assuming the solution lies in making cookies readable from all subdomains, irrespective of from where it's being set?
Thanks all, for your time and suggestions !
I'm not sure how you could do this....
Here is just an idea, it would rely on javascript...
WHen a user logs in using your login form... a hidden iframe would exist and javascript would post your login data to the login page of each domaine for your site. chaining them...
i dont feel its a safe thing tho... maybe im wrong...
u could use joomla's mootool framework to send an ajax requests to each domain...
Otherwise might want to check how joomla creates a session row in the database for each user on the site. maybe you can just create them for each domaine with 1 login. im gona check my mysql....
are you using joomla 1.5 or 2.5 ?
Otherwise i found this document for you:
http://docs.joomla.org/Multiple_Domains_and_Web_Sites_in_a_single_Joomla!_installation
okay, this was easy, I was testing on the local machine and it seems if domain doesnt have the dot, then the cookies are not handled well.
Just ensuring taht cookie domain is set to '.mysite.com' gets the job done
1. It is also recommended that you use the same joomla "secret" configuration value in the different websites as it is used to check the data exchanged between the different domains.
2. taht cookie domain is set to '.mysite.com' gets the job done
For example: Once a user logged in, server side then needs to route the http traffics to a certain tomcat instance because all his/her files(not in DBMS but in local HD) stored on that machine and there will be interactions between the web app and underlying FS. Anyway to do this?
Thanks!
This is often done by redirecting to a server specific URL at or following login. The users session then continues with that URL. I frequently find www replaced with www1, www2, etc, after login on sites I use.
I'm having this problem with my dotnetnuke website where the .DOTNETNUKE cookie is being created twice,
one for www.website.com and one for website.com.
When a user logins in with a url of website.com and tries to access a page that is www.website.com it causes them to re-loggin with a new cookie for www.website.com. This results in two cookies, one for www.website.com and another for website.com.
How do I fix this, does anyone have any ideas where to start?
Thanks!
John
This has to do with the dot rule. One of the security checks that a browser does is makes sure that a cookie's domain has the same number of periods as the domain it's on. A cookie from www.example.com will have the domain, "www.example.com" or "*.example.com", where as a cookie from "example.com" will have the domain "example.com". So the browser's thinking "example.com isn't/may not be the same as www.example.com, better get a new cookie just in case."
Set up your server so that it redirects your users to either www or no-www. Make sure you choose one or the other and stick with it. Having two will not only cause your current cookie woes, but possibly hurt your page rank in search engines.
See here for more info:
A question on SO relating
Dot rule stuff
To avoid IIS configuration I found a url rewriting tool here http://urlrewriting.net/149/en/home.html. It works like a charm!