rewrite rule for apache

I want to protect a directory, better to say its contents
from people downloading it, 
if the are not coming from a specified page.
Now, i understand, that the following code redirect
*vicodin.* to a standard error page.

RewriteEngine on
RewriteCond %
^(http://)?(www\.)?.*(-|.)vicodin(-|.).*$ [NC,OR]
< ...lots of other rules go here...>
RewriteRule .* - [F,L]

What rewrite rules should i use if i want users from
index.php?option=login to access the content and everyone
else to redirected to the standard error page?
Is it even possible to use get style params in the referer
field?

Thank you in advance
bituman

> -----Original Message-----
> From: bituman [mailto:bitumanenerla.net] 
> 
> I want to protect a directory, better to say its
contents 
> from people downloading it, 
> if the are not coming from a specified page.
> Now, i understand, that the following code redirect 
> *vicodin.* to a standard error page.

This shouldn't be thought of as a "protection",
but more
like a search engine interference, or anti-leeching
mechanism.
Since there are a myriad of ways someone could forge
the REFERER field of the HTTP Header...
 
> RewriteEngine on
> RewriteCond % 
> ^(http://)?(www\.)?.*(-|.)vicodin(-|.).*$ [NC,OR]
> < ...lots of other rules go here...>
> RewriteRule .* - [F,L]
> 
> What rewrite rules should i use if i want users from 
> index.php?option=login to access the content and
everyone 
> else to redirected to the standard error page?
> Is it even possible to use get style params in the
referer field?

Yeah, it's just a regex. You can Google TONS of docs on
this pretty quickly. Here's an example (I haven't tested,
YMMV) if you wanted to verify the REFERER field for an URL
param and then lacking that param, rewrite the request URI
based upon conditions like file extension (brackets
commented):

/*IfModule mod_rewrite.c*/
	RewriteEngine on
	RewriteCond % !^$
	RewriteCond %
!^http(s)?://(www\.)?index.php(\?)option=login [NC]
	RewriteCond % !^/avatar/leech.gif [NC]
	RewriteRule \.(gif|jpg|jpeg|png|bmp|swf)$
htt
p://www.anachronic.com/images/avatar/leech.gif [R,NC] 
/*/IfModule*/

1. Turns on
2. Catches blank referer
3. Catches your URL param
4. Ignores custom error URI
5. Rewrites URI based upon specific content (extensions)
requested

You could also add frame-busting code here, or many other
things, all of which you should find pretty quickly with
our friend Google.

Arian J. Evans
Software Security Person
+1.913.378.3571 [mobile]

"See? That was nothing. But that's how it
always begins. Very small." -Egg Shen




------------------------------------------------------------
-------------
Sponsored by: Watchfire

As web applications become increasingly complex, tremendous
amounts of 
sensitive data - personal, medical and financial - are
exchanged, and 
stored. Consumers expect and demand security for this
information. This 
whitepaper examines a few vulnerability detection methods -
specifically 
comparing and contrasting manual penetration testing with
automated 
scanning tools. Download "Automated Scanning or Manual
Penetration 
Testing?" today!

https://www.watchfire.com/securearea/whi
tepapers.aspx?id=701500000008Vmm
------------------------------------------------------------
--------------