i've already submitted this to support and they are working on it, but i was wondering if anyone else has come across this strange behavior. i am protecting two folders via php_include and mod_rewrite. one folder is for one subscription. the other folder is for another subscription. each should not be accessible by the other subscription. upon successful login with one account, i have access to the protected folder the account is supposed to have. however, i can access the other protected folder by changing the URL in the addressbar in IE. this user should not have access to this folder, but they do!!! i've checked the product and folder configurations and they look fine. .htaccess in each directory looks correct and is set for the right product id. i've cleared cookies and cache many, many times. i've tried the demo on the cgi-central front page and the protection works even after manually switching urls, but it's running 2.1.6pro. anyone have 2.1.8 pro and can quickly test this on their installation for me? or has someone else come across this problem as well, fixed it on their own, and can give me some quick tips on how to fix this. i'm beginning to suspect my server configuration or a script bug. i've been able to duplicate this behavior on more than 5 different machines. Alex says the protection works for him, but I can't seem to get it working, which makes this problem more difficult to troubleshoot... thanks in advance. -james
Hi James, I have a similar set up to what you have and am not seeing any problems. I tested this by logging on as one user and then trying to access a folder that the user should not have access to. I get the message: "Access is not allowed. Please go to "Membership information page" to renew or add subscription" I have seen problems in the past, however, when testing. What I have found is that the best way to make sure you are not seeing a cookie/session issue is to exit all instances of your browser (and all applications that might envoke an instance of the browser shell), clear your cookies and then log back in. I would see varying results when I would just log out or clear the cookies without making sure all of the browser windows were closed. Another suggestion might be posting your .htaccess file (or sending it to support). Mine, for example, looks like this: RewriteEngine On RewriteRule ^(.*)$ /access/plugins/protect/php_include/rewrite.php [E=PRODUCT_ID:"2;3"] This is for a folder that only users that are subscribed to products 2 and 3 are allowed. Hope this helps! Frank
more info on mod_rewrite problem Frank- Thanks for the reply. Support probably has looked at the htaccess files already since I gave them FTP access, but I also sent it to them as well. I've cleared the cookies/cache/history, restarted my computer, ended all non-essential processes, closed all browser windows etc. I've also tried logging in from computers that have never visited the site... I still get the same behavior. Anyhow, here are my .htaccess files folder1 Options +FollowSymLinks RewriteEngine On RewriteRule ^(.*)$ /cg/plugins/protect/php_include/rewrite.php [E=PRODUCT_ID:6] folder2 Options +FollowSymLinks RewriteEngine On RewriteRule ^(.*)$ /cg/plugins/protect/php_include/rewrite.php [E=PRODUCT_ID:1;2;3;4] folder 3 Options +FollowSymLinks RewriteEngine On RewriteRule ^(.*)$ /cg/plugins/protect/php_include/rewrite.php [E=PRODUCT_ID:5;1;2;3;4] A user having product 5 should only have access to folder 3. However, I have been able to access folder2 and folder1, which should not be possible... In any case, it sounds like the script is working (i assume you are running 2.1.8?), so I think I should narrow my hunt to my server configuration... thanks. james p.s. Thanks for the MamboServer module. It works great. I plan on posting a quick how-to/info later on after I get this thing sorted out...
Updates... I'm still working on this problem and there's no progress. I've installed another copy of amember into an adjacent folder, created another MySQL db, and created new products, new folders, and new protections. I am still able to access any of the protected folders regardless of user account product. The good thing is that if user is expired, all access is denied, so something is working. -james
Some Success! Some Success at last! Alex spent some time looking around and got it working!!! It's a workaround, but it works as it should. Since no one else seems to be having problems like this, I suspect it must be my server config. I'm running on the latest Cpanel on RHEL 3.0 so I'm not sure what could be the problem. If I find anything, I'll update this thread...
mod_rewrite not working at all for PC I set up the "protect folders" for all my products and thought it was working fine, because I tested it on my mac, but now I have tons of complaints from PC users and I checked on a PC and it isn't working at all--what could be wrong? Was I supposed to do something other than go through the protect folders set up? Help.
bizarre--follow-up Movado, I can confirm that your mod_rewrite problem is also on my server. I just had to completely delete all the .htaccess files generated by the "protect folders" link in amember and went back to my old way--regular old .htaccess protection for my folders (so the double login). But I set up two test folders and gave myself access to one, but not the other. I deleted all cookies, restarted the browser, and YES, I can get into both areas. BUT only on a Windows machine. My Mac works like it should--allowing me access to one, but not the other. The bizarre thing, though, is that previously, I could not get into ANY directories that were protected with mod_rewrite on Windows, while it all worked okay on the mac. Now it seems like I can get into EVERY mod_rewrite protected directory on the Windows machine. So, the bottom line seems to be that the mod_rewrite protection is all or nothing for Windows users, but fine for Mac users. That's the best assessment I can come up with. I'm curious what Alex's workaround was. Do you know the details? I'm also guessing that this is happening to more people, but they may not realize it. Or maybe not that many people are trying to use mod_rewrite. Let me know if you come up with anything else.
Th, there is more setup needed depending on the type of protection. To see what setup is needed, view the online help here http://www.cgi-central.net/scripts/amember/docs/ Tom
There doesn't appear to be anything else Hi Tom. Thanks, but I've read that several times. It seems that version 2.8.1 will generate the .htaccess files with the RewriteEngine lines by using the "protect folders" wizard. That part works fine. I don't see that anything else needs to be done to enable it. It doesn't appear to have to be activated in the protection plugin area either. If you know of something specific I have missed, please let me know. Thanks for your help.
mod_gzip is the problem! After about a week of tinkering and complaining to my hosting company, I believe the problem I experienced was with mod_gzip. The latest experimental version was installed on my cpanel installation and after telling them to remove it, php_include protection via pc's started working properly allowing access where access was allowed and denying access where it should be denied. Alex helped get it working even with mod_gzip installed by creating rewrite.php files for each product I have, e.g. rewrite1.php for product 1, rewrite2.php for product2, etc. This is detailed in depth in the manual. Hope this helps. Eventually, I hope to come up with a list of working apache modules/configurations. My host seems to be very security conscious (actually paranoid...) and they had to change quite a bit of their default settings to allow amember to work as it should.
a copy of my .htaccess file... .htaccess file ########### AMEMBER START ##################### RewriteEngine On RewriteRule ^(.*)$ /amember/plugins/protect/php_include/rewrite1234.php ########### AMEMBER FINISH #################### rewrite1234.php if ($s = $_SERVER['REDIRECT_PRODUCT_ID']) $_product_id = preg_split('/\D+/', $s, -1, PREG_SPLIT_NO_EMPTY); else $_product_id = array(1,2,3,4); $dir = dirname(__FILE__);
movado, thank you for detailed error report! If it will be confirmed that problem is related with mod_gzip, I will add it to the manual.