Restricting access to subdirectories


Can anyone tell me how to restrict the access point to a sub-page/directory? I want to prevent people from bypassing the main page and going directly to a sub-page. That is, I want entry to the sub-page to be allowed only from a link on the the main page, rather than directly accessible by URL (e.g. www.mainpage/subpage).


I am not sure on sub-pages in the same directory but a few tweaks to some htaccess rules to prevent image stealing might work for you. The code below blocks linking to cgi, php, html, shtml, and htm pages in a subdirectory except from pages in the top directory of the domain. Place it in an htaccess file in the directory you want to protect (replacing “your-domain” of course) and it should prevent linking.

SetEnvIfNoCase Referer “^” locally_linked=1
SetEnvIfNoCase Referer “^$” locally_linked=1
SetEnvIfNoCase Referer “^” locally_linked=1
SetEnvIfNoCase Referer “^$” locally_linked=1
SetEnvIfNoCase Referer “^$” locally_linked=1
<FilesMatch “.(cgi|php|?shtm?l)$”>
Order Allow,Deny
Allow from env=locally_linked


Of course, there is no perfect solution for this kind of thing, so it’s important to pay attention to the trade-offs of any solution you try to implement. The solution provided by Lord Eirias will generally stop people from loading your pages by clicking on links from pages outside your domain, but it won’t stop them from copying and pasting links into their browser’s address bar and hitting enter, or suggesting the same to other people.

If the goal want to prevent even that case, that will probably need some sort of login system. These are generally too complicated to describe in a forum post, but the logic is straightforward enough to work through. The downsides, of course, are complexity, and that it may not be a good/desirable idea to require users to get accounts.

Ultimately, the goal is to find the best tradeoff between complexity, user friendliness, and functionality. Curse this imperfect world :wink:


Thanks for the help. I guess preventing linking is better than nothing. I have the the subpage accessible only by ID/pw but I would prefer even members to go through the front page first.


Must be something weird on my end then as when I used that it would not allow me to enter a domain either… Typed in and it wouldn’t display anything. Removed the htaccess file and I saw the default top section of my site. Not sure if that is a fluke or not but it did appear to me that it wouldn’t show anything unless you were sent to the subpages by a main page.


Well, if I’m reading it right, SetEnvIfNoCase Referer "^$" locally_linked=1 is supposed to allow access if the user provides a blank referrer, which some users configure their browsers to do for “security” reasons. But another way to get blank referrers is to type the address in directly and hit ‘go’, which is why I said that.

As far as I know, there isn’t any server-side way to reliably determine whether a user has typed the address or simply provided an empty referer that would let you treat them differently from a link blocking standpoint. So I think you’re forced to either allow both or deny both. Of course, I could be mistaken, so if you or anyone else knows of a way to treat these two rather different things differnetly and can explain how it works, I’d be very interested to know.


Sorry if my knowledge is quite novince but I wonder of setting read, wrire, executable attributes of the sub folder would help


Changing access permissions for the files or directories won’t help, since if this succeeds in blocking access, it will block access for everybody no matter what link they followed.

– Dan