No direct access to web application

Hi all,

In our environment, we have some running web applications. Now we need to connect some users from vpn to our environment but we dont want them to direct access these applications. I mean i know its a bit illogical to say but i will try to explain the process in points

  1. user logged in to our environment via vpn (this is we have done successfully)
  2. Right now, user are accessing the web applications directly
  3. we want to create a page in php and provide only this page to them for some initial authentication.
  4. if the authentication is successful, then redirect them to the web application.
  5. if user tries to access the web application without accessing our page, that application should’nt open

The biggest hurdle is, we cant change anything in the web application itself, so just to get some expert views here, can it be done ???

I don’t believe there is a practical way of doing this without being able to add support to the application.

If you create a new php page(s) that verify their credentials and then decide if it routes to the application URL or not. Even if you don’t publish the URL to the application this scenario can be easily foiled as a person can just bookmark the application URL and bypass the check.

To really check that a user has successfully logged in, you need to check session data or database data that verifies or blocks a user based on their login attempt. If the user has not logged in and attempts to access the application URL without logging in the application’s controller would need to reject and redirect them to the login. As you can’t modify the application then this approach is also out.

You are unlikely to find a practical way to do this :frowning:


I’ve also been thinking about this, and the only thing I could think of (and I don’t know if it is possible as I’ve never done it) was to create a custom apache authentication routine that you could embed in an .htaccess file that would validate the user (or check if the user is validated) and if they are not, redirect them to an authentication page.

A part of me says this should be possible, but the other part of me is yelling that is may be a LOT of work when modifying the existing applications would be far less trivial.