Private Directory
This article describes how to make a private directory. Only browsers with a certain cookie can access it. You control the web page with the cookie-setting JavaScript.
(To learn how to block all browsers and bots, including your own, see the Effective Block for Browsers and Bots article.)
The private directory is created with a line in an .htaccess file. The line looks for a certain cookie with a certain value. If the browser doesn't have the cookie, it is redirected to the domain's home page.
The cookie is set with JavaScript in an orphan web page. "Orphan" being a web page not linked to from anywhere. We'll call this web page the cookie-setting page.
The procedure for accessing the private directory is:
-
Load the the cookie-setting page. (Make sure your browser is accepting cookies.)
-
Access pages in the private directory.
You control the file name of the cookie-setting page. It can be something unlikely to be guessed, like eeir_rr44-5eWWs.html
If you're super-cautious, upload the cookie-setting page only when you need it and then immediately delete it from the server.
Once the cookie is set, the browser can access the private directory so long as the cookie exists. The cookie exists until the browser is exited or the cookie is manually deleted.
Implementing the Private Directory System
Implementation is two steps:
-
Put some code into the .htaccess file of the private directory.
-
Upload the cookie-setting page to your server.
Here are instructions along with the code. All is copy and paste unless you decide to change the cookie name or the cookie value.
1.
Put the code below into the .htaccess file located in the private directory.
If no .htaccess file currently exists in the directory, create one. (Some computers won't display files with names starting with a period. For those, name the file htaccess.txt while it's on your computer. After the file is uploaded to the server, rename the file on the server to .htaccess)
Here is the code for the .htaccess file:
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_COOKIE} !TempCookie=Yes
RewriteRule .* / [L]
The code assumes a cookie name "TempCookie" and its value "Yes". They're marked with purple and blue text.
With the code in the .htaccess file, the existence of a cookie with the specified name and the specified value is checked. Both the name and the value must be correct before the browser is allowed access to files in the directory.
To change the cookie name or its value, change TempCookie or Yes to what you prefer. If either or both are changed, the JavaScript (further below) needs to be changed accordingly so the correct cookie is set when the JavaScript is run, a cookie that will pass the .htaccess code.
2.
Upload the cookie-setting page to your server.
The code for the cookie-setting page is below. Save it to your server as setcookie.html (or a file name unlikely to be guessed). Upload the file to your server.
<!DOCTYPE html> <html> <head> <meta http-equiv="Content-Type" content="text/html;charset=utf-8"> <title>Cookie Setter</title> </head> <body> <script type="text/javascript"> document.cookie = "TempCookie=Yes; path=/"; </script> </body> </html>
The code assumes a cookie name "TempCookie" and value "Yes". They're marked with purple and blue text.
To change the cookie name or value, change TempCookie or Yes to what you prefer.
Note: The cookie name or value in the cookie-setting page and in the .htaccess file of the private directory must be identical. If one is changed, the other also must be changed.
Using the Private Directory System
To use the system, load the cookie-setting page into your browser. Then access the private directory.
The file name of the cookie-setting web page may be changed from time to time or the file may be removed from the server when unneeded.
Only browsers with the correct cookie and value can access the private directory.
Will Bontrager
