Restricting Access With .htaccess

[TWM]

How would i go about only letting people have access to a certain area when they arive there from a certain place?

EX:

I have a members only area. You login by filling out a simple script, and its processed in login.php. When you login it directs you to another url... mywebsite.com/membersarea. Nothing is secure, so you could just go to that URL without logging in...noone knows that, but they could figure it out.

I want to use .htaccess so that the only way you can view that directory is if you come FROM mywebsite.com/login.php. Can this be done?

 

[vip-ip]

Here's a very thorough tut for ya

http://www.technotrade.com/htaccess.html

 

[TWM]

Not really what i need... i basically need it to do this:

If a user comes from a certain file, give access. If it comes from ANY other place, restrict access.

 

[slantednet]

Using the REFERER of the browser is insecure, people can set the REFERER field, and it's not reliable.

You can do other options, such as within the login script, after a successful login, insert their IP address and username in a "current_connections" table. Pass the username to the members area page when you redirect and very first thing in the members area page verify that the connection for the username is coming from the same IP (hence, they went through the login page successfully). Of course, you'd have to remove them from the "current_connections" table either when they manually log out of the system, and have a method of removing "stale" logins from the system as well...

Then, if they bypass the login script and go right to the members page and they haven't gone through the login script, the members page will see their username/IP pair isn't in the current_connections table and you can redir them back to the login page.

And this keeps it all server-side, which avoids the pitfalls of using cookies...

hmm... that took more time to explain that it would have to just write.. lol..